Can you tell me how you call es_respond_flags_result(4), I tryed with es_respond_flags_result(client, message, ES_AUTH_RESULT_ALLOW, true), es_respond_flags_result(client, message, 4, true), or es_respond_flags_result(client, message, 0x7FFFFFFF, true) but no luck it still freezing the mac, and kill my process or the user session.

Hi eskimo thanks for your reply I tried with the following code with no luck. it still freezing the mac, and kill my process or the user session. Can you take a look when I remove the auth_open event type it can works as expect.int SEListener::startListen() { int res = 0; es_event_type_t events[] = { ES_EVENT_TYPE_AUTH_OPEN}; if ((res = es_new_client(&m_esClient, ^(es_client_t * client, const es_message_t *message){ static pid_t self_pid = getpid(); switch (message->event_type) { case ES_EVENT_TYPE_AUTH_OPEN: { pid_t pid = audit_token_to_pid(message->process->audit_token); if(pid==self_pid) es_mute_process(client, &message->process->audit_token); es_respond_flags_result(client, message, FREAD | FWRITE, true); break; } case ES_EVENT_TYPE_NOTIFY_OPEN: break; default: break; } })) != ES_NEW_CLIENT_RESULT_SUCCESS) { printf("es_new_client error:%d\n",res); return res; } if ((res = es_clear_cache(m_esClient)) != ES_CLEAR_CACHE_RESULT_SUCCESS) { printf("es_clear_cache failed\n"); return res; } if ((res = es_subscribe(m_esClient, events, (sizeof(events)/sizeof(events[0])))) != ES_RETURN_SUCCESS) { printf("es_subscribe failed\n"); return res; } return res; }

Thanks for your reply. I need the thread ID because in the before we manage the access request based on threads. So we allow/block by thread ID. right now I moved to EndpointSecurity I want to keep the mechanism as the same as the old one. Because we have some customer that already use it in a long time. I don't want to disturb them for this changes. I guess it may let them redesign their code which need make a lot of works. So please consider it. thanks so much. BTW how to submit a radar request?