Page 1 of 1

adding access groups to entitlement database

PostPosted: Thu Feb 16, 2017 4:44 pm
by backendbilly
I think it would make sense to add access groups from keychain-access-groups to the entitlement database. The reason is that access groups can also be thought of as an extension to keychain-access-groups entitlement. For example, binaries with "keychain-access-group" entitlement may contain access group "apple". In this case access group "apple" is exclusive only to native iOS binaries. As an example, this would come in handy when needing to know which iOS binaries have access to specific keychain items with a particular access group.

Example:

Code: Select all
~ root# grep -rs "com.apple.safari.credit-cards" /
Binary file /Applications/MobileSafari.app/MobileSafari matches
Binary file /Applications/Preferences.app/Preferences matches
Binary file /Applications/SafariViewService.app/SafariViewService matches
Binary file /Applications/Web.app/Web matches
Binary file /Applications/WebApp1.app/WebApp1 matches
Binary file /Applications/WebSheet.app/WebSheet matches
...