manpagez: man pages & more
man spctl(8)
Home | html | info | man
spctl(8)                  BSD System Manager's Manual                 spctl(8)


     spctl -- SecAssessment system policy security


     spctl --assess [-t type] [-] file ...
     spctl --master-enable | --master-disable
     spctl --enable | --disable | --remove [-t type] [--path path]
           [--requirement requirement] [--anchor hash] [--hash hash]
     spctl --status


     spctl manages the security assessment policy subsystem.

     This subsystem maintains and evaluates rules that determine whether the
     system allows the installation, execution, and other operations on files
     on the system.

     spctl requires one command option that determines its principal opera-

     --add    Add rule(s) to the system-wide assessment rule database.

     -a, --assess
              Requests that spctl perform an assessment on the files given.

              Disable one or more rules in the assessment rule database.  Dis-
              abled rules are not considered when performing assessment, but
              remain in the database and can be re-enabled later.

              Enable rule(s) in the assessment rule database, counteracting
              earlier disabling.


              Disable the assessment subsystem altogether.  Operations that
              would be denied by system policy will be allowed to proceed;
              assessment APIs always report success.  Requires root access.

              Enable the assessment subsystem.  Operations that are denied by
              system policy will fail; assessment APIs report the truth.
              Requires root access.

              Remove rule(s) from the assessment rule database.

              Query whether the assessment subsystem is enabled or disabled.

     In addition, the following options are recognized:

              In rule update operations, indicates that the arguments are
              hashes of anchor certificates.

              If the assessment of a file fails, continue assessing additional
              file arguments.  Without this option, the first failed assess-
              ment terminates operation.

     --hash   In rule update operations, indicates that the arguments are code
              directory hashes.

              Do not query or use the assessment object cache.  This may sig-
              nificantly slow down operation.  Newly generated assessments may
              still be stored in the cache.

     --label label
              Specifies a string label to attach to new rules, or find in
              existing rules.  Labels are arbitrary strings that are assigned
              by convention.  Rule labels are optional.

              Do not place the outcome of any assessments into the assessment
              object cache.  No other assessment may reuse this outcome.  This
              option not prohibit the use of existing cache entries.

     --path   In rule update operations, indicates that the argument(s) denote
              paths to files on disk.

     --priority priority
              In rule update operations, specifies the priority of the rule(s)
              created or changed.  Priorities are floating-point numbers.
              Higher numeric values indicate higher priority.

     --raw    When displaying the outcome of an assessment, write it as a
              "raw" XML plist instead of parsing it in somewhat more friendly
              form.  This is useful when used in scripts, or to access newly
              invented assessment aspects that spctl does not yet know about.

              In rule update operations, indicates that the argument(s) are
              code requirement source.

     --rule   In rule update operations, indicates that the argument(s) are
              the index numbers of existing rules.

     -t, --type
              Specify which type of assessment is desired: execute to assess
              code execution, install to assess installation of an installer
              package, and open to assess the opening of documents.  The
              default is to assess execution.

     -v, --verbose
              Requests more verbose output.  Repeat the option or give it a
              higher numeric value to increase verbosity.


     The system assessement rule database contains entries that match candi-
     dates based on Code Requirements.  spctl allows you to specify these
     requirements directly using the --requirement option.  In addition, indi-
     vidual programs on disk can be addressed with the --path option (which
     uses their Designated Requirement).  The --anchor option takes the hash
     of a (full) certificate and turns it into a requirement matching any sig-
     nature based on that anchor certificate.  Alternatively, it can take the
     absolute path of a certificate file on disk, containing the DER form of
     an anchor certificate.  Finally, the --hash option generates a code
     requirement that denotes only and exactly one program whose CodeDirectory
     hash is given.  The means of specifying subjects does not affect the
     remaining processing.


     /var/db/SystemPolicy  The system policy database.
                           A copy of the initial distribution version of the
                           system policy database.  Useful for starting over
                           if the database gets messed up beyond recognition.


     To check whether is allowed to run on the local system:
           spctl -a /Applications/

     To allow to run on the local system:
           spctl --add --label "My Stuff" /Applications/

     To forbid all code obtained from the Mac App Store from running:
           spctl --disable --label "Mac App Store"


     spctl exits zero on success, or one if an operation has failed.  Exit
     code two indicates unrecognized or unsuitable arguments.  If an assess-
     ment operation results in denial but no other problem has occurred, the
     exit code is three.


     codesign(1), syspolicyd(1)


     The system policy facility and spctl command first appeared in Mac OS X
     Lion 10.7.3 as a limited developer preview.

BSD                            January 19, 2012                            BSD

Mac OS X 10.9 - Generated Fri Oct 18 06:42:00 CDT 2013
© 2000-2023
Individual documents may contain additional copyright information.