SecAssessment system policy security
spctl --assess [-t type] [-] file ...
spctl --master-enable | --master-disable
spctl --enable | --disable [--path path] [--requirement requirement] [--anchor hash] [--hash hash]
Manages the security assessment policy subsystem.
This subsystem maintains and evaluates rules that determine whether the system allows the installation, execution, and other operations
on files on the system.
| Disable the assessment subsystem altogether. |
Operations that would be denied by system policy will be allowed to proceed;
assessment APIs always report success. Requires root access.
| Enable the assessment subsystem. |
Operations that are denied by system policy will fail; assessment APIs report the truth. Requires root access.
| Query whether the assessment subsystem is enabled or disabled.
|Add rule(s) to the system-wide assessment rule database.
| Remove rule(s) from the assessment rule database.
| Requests that spctl perform an assessment on the files given.
| Disable one or more rules in the assessment rule database. Disabled rules are not considered when performing assessment, but
remain in the database and can be re-enabled later.
| Enable rule(s) in the assessment rule database, counteracting earlier disabling.
|In addition, the following options are recognized:
| If the assessment of a file fails, continue assessing additional file arguments. |
Default: the first failed assessment terminates operation.
|Used in rule update opeartions, arguments
| are hashes of anchor certificates.
|denote paths to files on disk.
| are the index numbers of existing rules.
|code directory hashes.
|are code requirement source.
| the priority of the rule(s) created or changed. Priorities are floating-point numbers. Higher numeric values indicate higher priority.
| Do not query or use the assessment object cache. This may significantly slow down operation. Newly generated assessments may
still be stored in the cache.
Attach label to new rules, or find in existing rules. Labels are arbitrary strings that are assigned by
convention. Rule labels are optional.
| Do not place the outcome of any assessments into the assessment object cache. No other assessment may reuse this outcome. This
option not prohibit the use of existing cache entries.
|When displaying the outcome of an assessment, write it as a "raw" XML plist instead of parsing it in somewhat more friendly
form. This is useful when used in scripts, or to access newly invented assessment aspects that spctl does not yet know about.
| Specify which type of assessment is desired: execute to assess code execution, install to assess installation of an installer
package, and open to assess the opening of documents. The default is to assess execution.
| Requests more verbose output. Repeat or give it a higher numeric value to increase verbosity.
The system assessement rule database contains entries that match candidates based on Code Requirements. spctl allows you to specify
these requirements directly using the --requirement option. In addition, individual programs on disk can be addressed with the --path
option (which uses their Designated Requirement). The --anchor option takes the hash of a (full) certificate and turns it into a
requirement matching any signature based on that anchor certificate. Alternatively, it can take the absolute path of a certificate file
on disk, containing the DER form of an anchor certificate. Finally, the --hash option generates a code requirement that denotes only and
exactly one program whose CodeDirectory hash is given. The means of specifying subjects does not affect the remaining processing.
/var/db/SystemPolicy The system policy database.
A copy of the initial distribution version of the system policy database. Useful for starting over if the database
gets messed up beyond recognition.
To check whether Mail.app is allowed to run on the local system:
spctl -a /Applications/Mail.app
To allow Frobozz.app to run on the local system:
spctl --add --label "My Stuff" /Applications/Mail.app
To forbid all code obtained from the Mac App Store from running:
spctl --disable --label "Mac App Store"
1 an operation has failed.
2 indicates unrecognized or unsuitable arguments.
3 an assessment operation results in denial but no other problem has occurred
The system policy facility and spctl command first appeared in Mac OS X Lion 10.7.3 as a limited developer preview.