manpagez: man pages & more
man spctl(8)
Home | html | info | man
spctl(8)                  BSD System Manager's Manual                 spctl(8)


NAME

     spctl -- SecAssessment system policy security


SYNOPSIS

     spctl --assess [-t type] [-] file ...
     spctl --master-enable | --master-disable
     spctl --enable | --disable | --remove [-t type] [--path path]
           [--requirement requirement] [--anchor hash] [--hash hash]
     spctl --status


DESCRIPTION

     spctl manages the security assessment policy subsystem.

     This subsystem maintains and evaluates rules that determine whether the
     system allows the installation, execution, and other operations on files
     on the system.

     spctl requires one command option that determines its principal opera-
     tion:

     --add    Add rule(s) to the system-wide assessment rule database.

     -a, --assess
              Requests that spctl perform an assessment on the files given.

     --disable
              Disable one or more rules in the assessment rule database.  Dis-
              abled rules are not considered when performing assessment, but
              remain in the database and can be re-enabled later.

     --enable
              Enable rule(s) in the assessment rule database, counteracting
              earlier disabling.

     --disable

     --master-disable
              Disable the assessment subsystem altogether.  Operations that
              would be denied by system policy will be allowed to proceed;
              assessment APIs always report success.  Requires root access.

     --master-enable
              Enable the assessment subsystem.  Operations that are denied by
              system policy will fail; assessment APIs report the truth.
              Requires root access.

     --remove
              Remove rule(s) from the assessment rule database.

     --status
              Query whether the assessment subsystem is enabled or disabled.

     In addition, the following options are recognized:

     --anchor
              In rule update operations, indicates that the arguments are
              hashes of anchor certificates.

     --continue
              If the assessment of a file fails, continue assessing additional
              file arguments.  Without this option, the first failed assess-
              ment terminates operation.

     --hash   In rule update operations, indicates that the arguments are code
              directory hashes.

     --ignore-cache
              Do not query or use the assessment object cache.  This may sig-
              nificantly slow down operation.  Newly generated assessments may
              still be stored in the cache.

     --label label
              Specifies a string label to attach to new rules, or find in
              existing rules.  Labels are arbitrary strings that are assigned
              by convention.  Rule labels are optional.

     --no-cache
              Do not place the outcome of any assessments into the assessment
              object cache.  No other assessment may reuse this outcome.  This
              option not prohibit the use of existing cache entries.

     --path   In rule update operations, indicates that the argument(s) denote
              paths to files on disk.

     --priority priority
              In rule update operations, specifies the priority of the rule(s)
              created or changed.  Priorities are floating-point numbers.
              Higher numeric values indicate higher priority.

     --raw    When displaying the outcome of an assessment, write it as a
              "raw" XML plist instead of parsing it in somewhat more friendly
              form.  This is useful when used in scripts, or to access newly
              invented assessment aspects that spctl does not yet know about.

     --requirement
              In rule update operations, indicates that the argument(s) are
              code requirement source.

     --rule   In rule update operations, indicates that the argument(s) are
              the index numbers of existing rules.

     -t, --type
              Specify which type of assessment is desired: execute to assess
              code execution, install to assess installation of an installer
              package, and open to assess the opening of documents.  The
              default is to assess execution.

     -v, --verbose
              Requests more verbose output.  Repeat the option or give it a
              higher numeric value to increase verbosity.


RULE SUBJECTS

     The system assessement rule database contains entries that match candi-
     dates based on Code Requirements.  spctl allows you to specify these
     requirements directly using the --requirement option.  In addition, indi-
     vidual programs on disk can be addressed with the --path option (which
     uses their Designated Requirement).  The --anchor option takes the hash
     of a (full) certificate and turns it into a requirement matching any sig-
     nature based on that anchor certificate.  Alternatively, it can take the
     absolute path of a certificate file on disk, containing the DER form of
     an anchor certificate.  Finally, the --hash option generates a code
     requirement that denotes only and exactly one program whose CodeDirectory
     hash is given.  The means of specifying subjects does not affect the
     remaining processing.


FILES

     /var/db/SystemPolicy  The system policy database.
     /var/db/.SystemPolicy-default
                           A copy of the initial distribution version of the
                           system policy database.  Useful for starting over
                           if the database gets messed up beyond recognition.


EXAMPLES

     To check whether Mail.app is allowed to run on the local system:
           spctl -a /Applications/Mail.app

     To allow Frobozz.app to run on the local system:
           spctl --add --label "My Stuff" /Applications/Frobozz.app

     To forbid all code obtained from the Mac App Store from running:
           spctl --disable --label "Mac App Store"


DIAGNOSTICS

     spctl exits zero on success, or one if an operation has failed.  Exit
     code two indicates unrecognized or unsuitable arguments.  If an assess-
     ment operation results in denial but no other problem has occurred, the
     exit code is three.


SEE ALSO

     codesign(1), syspolicyd(1)


HISTORY

     The system policy facility and spctl command first appeared in Mac OS X
     Lion 10.7.3 as a limited developer preview.

BSD                            January 19, 2012                            BSD

Mac OS X 10.9 - Generated Fri Oct 18 06:42:00 CDT 2013
© manpagez.com 2000-2024
Individual documents may contain additional copyright information.