Quantcast
Channel: rtrouton – Der Flounder
Viewing all articles
Browse latest Browse all 764

Blocking Oracle Java

$
0
0

As a follow-up to my previous post on removing Oracle Java, it’s possible that Mac admins may be requested to block Oracle Java in place of removing it. This may be challenging, but possible with the right information and tools. For more details, please see below the jump.

Normally, there’s three approaches on macOS that you can take when needing to block an app:

  1. Block by process name
  2. Block by code signature
  3. Block with parental controls

Block by process name

Blocking by process name may be problematic in this case, since the process names for Oracle’s Java and any other non-Oracle Java are almost certainly going to be identical (for example, java as the process name.) Blocking Oracle’s Java by process name will mean that the non-Oracle Java you may be installing to replace Oracle’s Java will be caught by the same process-based block. 

This is to say nothing of apps which may have embedded Java runtimes you’re not aware of; blocking Oracle’s Java by process may inadvertently also block the processes run by an app’s embedded Java runtime.

 

Block by code signature

This may be the best approach, as you may be able to use Oracle Java’s code signing signature and bundle identifier to block Oracle Java. Solutions which can do this include the following:

These solutions should be able to block by the code signature’s Team Identifier and the java binaries’ bundle identifier(s). You can find these by running the following command:



This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters


codesign -dv /path/to/java/binary
view raw

gistfile1.txt

hosted with ❤ by GitHub

Here’s an example of using the codesign command to get the code signature’s Team Identifier and the bundle identifier for the java binary in Oracle’s Java JDK 11.0.20:

  • Bundle identifier: Identifier
  • Team Identifier: TeamIdentifier



This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters


username@computername ~ % codesign -dv /Library/Java/JavaVirtualMachines/jdk-11.jdk/Contents/Home/bin/java
Executable=/Library/Java/JavaVirtualMachines/jdk-11.jdk/Contents/Home/bin/java
Identifier=com.oracle.java.11.0.20.java
Format=Mach-O thin (arm64)
CodeDirectory v=20500 size=936 flags=0x10000(runtime) hashes=18+7 location=embedded
Signature size=9010
Timestamp=Jun 14, 2023 at 5:32:54 AM
Info.plist entries=5
TeamIdentifier=VB5E2TV963
Runtime Version=11.1.0
Sealed Resources=none
Internal requirements count=1 size=188
username@computername ~ %
view raw

gistfile1.txt

hosted with ❤ by GitHub

Note: The bundle identifier may be different for each version of Oracle’s Java. You may be able to block using only the Team Identifier, but the drawback of this is that you may also block other Oracle apps which use that same code signing Team Identifier, like Oracle’s VirtualBox hypervisor software:



This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters


username@computername ~ % codesign -dv /Applications/VirtualBox.app
Executable=/Applications/VirtualBox.app/Contents/MacOS/VirtualBox
Identifier=org.virtualbox.app.VirtualBox
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=19145 flags=0x10000(runtime) hashes=587+7 location=embedded
Signature size=9009
Timestamp=Jul 27, 2023 at 11:49:35 AM
Info.plist entries=17
TeamIdentifier=VB5E2TV963
Runtime Version=10.15.6
Sealed Resources version=2 rules=13 files=224
Internal requirements count=1 size=192
username@computername ~ %
view raw

gistfile1.txt

hosted with ❤ by GitHub

 

Block with parental controls:

You can use a macOS configuration profile to set all binaries in a particular directory path to be blocked from running. While this functionality has been deprecated by Apple as of macOS Catalina, it continues to work as of macOS Ventura.

In this case, you can set the enclosing directory paths of Oracle’s Java binaries to the block list and thus prevent Oracle’s Java binaries from running:



This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters


username@computername ~ % java -version
exec failed: Error Domain=NSPOSIXErrorDomain Code=13 "Permission denied" UserInfo={NSLocalizedFailureReason=Failed to execute /Library/Java/JavaVirtualMachines/jdk-1.8.jdk/Contents/Home/bin/java: Permission denied}
username@computername ~ %
view raw

gistfile1.txt

hosted with ❤ by GitHub

When setting a blocklist using a profile, one thing to be aware of is that the blocklist can be overridden by an administrator account. If an administrator chooses, they can set the application block to be overridden once or permanently.

Screenshot 2023 08 10 at 3 38 21 PM

For those who want to block Oracle’s Java binaries using a macOS configuration profile, I’ve created an example profile and posted it here on GitHub:

https://github.com/rtrouton/profiles/tree/main/BlockOracleJavaBinariesFromRunning


Viewing all articles
Browse latest Browse all 764

Trending Articles