Security.framework’s spctl --assess --direct doesn’t work as non-root in 10.10 and 10.11

Originator:mark
Number:rdar://23611423 Date Originated:2015-11-19
Status:Behaves correctly Resolved:2016-01-13
Product:OS X Product Version:10.11.1 15B42
Classification:Other Bug Reproducible:Always
 
Normally, spctl --assess consults syspolicyd to perform the assessment. It is also possible to make spctl perform the assessment itself by using spctl --assess --direct. This worked correctly through OS X 10.9, but broke in OS X 10.10, and remained broken in OS X 10.11

Steps to Reproduce:
$ spctl --assess --direct -vv /Applications/Calculator.app

Expected Results:
When run on 10.9:

$ spctl --assess --direct -vv /Applications/Calculator.app
/Applications/Calculator.app: rejected
source=obsolete resource envelope
origin=Software Signing

Ignore the fact that spctl disapproves of Calculator.app by showing “rejected” on 10.9. What counts is that spctl was able to perform an assessment.

Actual Results:
When run on 10.10 or 10.11:

$ spctl --assess --direct -vv /Applications/Calculator.app
/Applications/Calculator.app: permission to use a database denied

$ sudo spctl --assess --direct -vv /Applications/Calculator.app
/Applications/Calculator.app: accepted
source=Apple System
origin=Software Signing

Version:
This bug occurs in 10.11.1 15B42 and 10.10.5 14F1021. It does not occur in 10.9.5 13F1134. This is a regression.

Comments

Apple Developer Relations 13-Jan-2016 05:49 PM

Engineering has the following feedback for you:

In modern, contemporary systems, the —direct mode must be run as root. This is not a bug; spctl —direct is a debug/development mode, and is not meant for deployment scenarios.

Thank you for your feedback. Engineering has determined that this issue behaves as intended.

We are now closing this bug report.

If you just have questions about the resolution, then please update your bug report with that information so we can respond.

By mark at Jan. 13, 2016, 10:56 p.m. (reply...)

To further highlight the problem, spctl --assess --direct shows “permission to use a database denied” when run as non-root.

By mark at Nov. 19, 2015, 3:39 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!