Oracle Java 8u281 failed to obtain 'Files and Folders' permission

Question

I'm trying to run a Java app (Jenkins agent) on macOS Catalina. I've noticed a strange difference in behaviour when I run different JDKs. The app uses an external volume and that requires 'Files and Folders' or 'Full Disk Access' to be given over TCC mechanism. When I run Oracle JDK 8u181 it works perfectly: a dialog popped up and when consent was given it run as expected.

However, when I run the latest Oracle JDK 8u281, it did NOT show the confirmation dialog and the Java process got stuck. I tried to add Full Disk Access (FDA) permission manually over System Preferences / Privacy form, but it didn't help whatsoever.

If it makes any difference, the java process is run through the following sequence:

Code Block launchd -> bash -> pwsh -> java

I tried to look through the log using

Code Block log stream --info --debug --signpost --predicate 'eventMessage contains[c] "tcc"'>/tmp/tcc.log

but didn't spot anything apart from the fact of disk access denial. See one of the log entries below:

Code Block Binary Images:
       0x10107f000 -        0x10108dfff  java (0) <97808bb8-580d-3f38-9044-b4f6cec58080> /Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/bin/java
       0x101600000 -        0x101c4bfff  libjvm.dylib (0) <131bee22-7c2b-3195-a329-718bcdc429cd> /Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/jre/lib/server/libjvm.dylib
    0x7fff324c7000 -     0x7fff32947ff3  com.apple.CoreFoundation (6.9 - 1675.129) <db597dfa-08f8-379b-881e-b4fbdef347f1> /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
    0x7fff6c571000 -     0x7fff6c5a7fff  libdyld.dylib (750.5) <ae420e8b-c04f-38f0-9195-7b7acb9ed801> /usr/lib/system/libdyld.dylib
    0x7fff6c6cc000 -     0x7fff6c6f8ff7  libsystem_kernel.dylib (6153.101.6) <8c658b3d-4c50-3068-aca1-a69da839a66e> /usr/lib/system/libsystem_kernel.dylib
    0x7fff6c78e000 -     0x7fff6c798fff  libsystem_pthread.dylib (416.100.3) <fb288f3d-4c8c-3f35-abd3-aba5844529f1> /usr/lib/system/libsystem_pthread.dylib
2021-02-18 02:56:21.587280-0800 0x1571     Error       0x0                  569    0    sandboxd: [com.apple.sandbox.reporting:violation] Sandbox: java(717) System Policy: deny(1) file-write-data /Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck
Violation:       System Policy: deny(1) file-write-data /Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck 
Process:         java [717]
Path:            /Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/bin/java
Load Address:    0x10107f000
Identifier:      java
Version:         ??? (???)
Code Type:       x86_64 (Native)
Parent Process:  pwsh [712]
Responsible:     /bin/bash [/usr/local/bin/jenkins-runner.sh]
User ID:         501
Date/Time:       2021-02-18 02:56:21.535 PST
OS Version:      Mac OS X 10.15.4 (19E2269)
Report Version:  8
MetaData: {"errno":1,"platform-binary":false,"operation":"file-write-data","rdev":0,"build":"Mac OS X 10.15.4 (19E2269)","user-approval":"kTCCServiceSystemPolicyRemovableVolumes","vnode-type":"REGULAR-FILE","responsible-process-path":"/bin/bash","apple-internal":false,"mount-rdev":16777223,"platform-policy":true,"process":"java","profile":"platform","responsible-process-uid":501,"process-path":"/Library/Java/JavaVirtualMachines/jdk1.8.0_281.jdk/Contents/Home/bin/java","hardlinked":false,"uid":501,"action":"deny","hardware":"Mac","primary-filter-value":"/Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","signing-id":"com.oracle.java.8u281.java","matched-user-intent-extension":false,"path":"/Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","normalized_target":["Volumes","Data","Jenkins","remoting","logs","remoting.log.0.lck"],"flags":5,"matched-extension":false,"primary-filter":"path","responsible-process-user-uuid":"81D04F01-50FD-4944-8CE2-E23F8879D562","platform_binary":"no","responsible-process-hosted-path":"/usr/local/bin/jenkins-runner.sh","storage-class":"kTCCServiceSystemPolicyRemovableVolumes","pid":717,"team-id":"VB5E2TV963","summary":"deny(1) file-write-data /Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","target":"/Volumes/Data/Jenkins/remoting/logs/remoting.log.0.lck","profile-flags":0}

1.8k

Posted by

ineshik

Reply

Add a Comment

Answer 1

I'm trying to run a Java app

Define app in this context? It is a bundle with the .app extension and an Info.plist file that points to the main executable in Contents/MacOS?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Posted by

eskimo

Add a Comment

Answer 2

By 'app' I mean just a jar package, not a macOS app. So, the java process is run as java -jar agent.jar <ARGS>.

Posted by

ineshik

Add a Comment

Answer 3

By app I mean just a jar package

Ah. Unfortunately I have no idea how that’s going to interact with TCC )-:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Posted by

eskimo

Add a Comment

Answer 4

In fact, there is some difference between Java runtimes. I managed to get 'Files and Folders' popup only for JDK 8u181. All other Java 8 versions (latest Azul, latest Adopt, latest Oracle) just can't do that. In cases not requiring access to external drive all versions work just fine.

Posted by

ineshik

Add a Comment

Answer 5

I have a somewhat similar issue. Since Big Sur, one of my machines cannot read files from the Desktop (AdoptOpenJDK 11). Granting java full disk permissions didn't fix it. My app is distributed as an .app. The launcher uses /usr/libexec/java_home to find a suitable Java vendor, which -- in this case -- returns /Library/Java/JavaVirtualMachines/adoptopenjdk-11.jdk/Contents/Home.

What's most troubling is the "Application Foo is trying to Access the Desktop" popup doesn't show on the offending machine.

Posted by

tresf

Add a Comment

Oracle Java 8u281 failed to obtain 'Files and Folders' permission

Replies