Thanks! That will solve our issues with that. Is there a way to extract source app for a packet with packet filter? I see there is a context, but I'm not sure what and how we can extract from it.

Thought that too, but I do not see any new flow when calling ping. Same as with raw sockets. EDIT: saw you wrote NEFilterPacketProvider. It is not possible using DataProvider? Also, in what way can I get packet type in PacketProvider?

Sorry, I forgot to mention that part - macOS

Hi Matt, This crash doesn't sound Extension related, and yet it happens only when extension is installed. Also - I am struggling with attaching instruments to Network Extension, As I keep getting: Unable to acquire required task port I am compiling the extension in debug mode with get-task-allow entitlement, and disabled hardened-runtime. It is signed with development provisioning profile. is there anything else I am missing?

So what might cause the crash, if network extension is not even in the stack trace? Also, we have been seeing a lot of issues when trying to attach to signed processes with Instruments (even when signed for debug), is there a way around it?

Won't that just allow me to get audit_token for my own process? as I'm not able to call task_info for any other process (as I can't get it's task port)

Exactly.

Hi,You might need to approve Full Disk Access to your extension.This is done in System Preferences -> Security & Privacy -> Privacy -> Full Disk AccessMaybe @eskimo can explain why it is required/not included as part of the entitlements.

Hi @eskimo,It's been more than a month, with no answer on this or the bug I have opened.After moving from EndpointSecurity daemon to a SystemExtension, thing have gotten even worse, with compilation time of a test project raising from 8-9 minutes to 15-16 minutes (with minimum to none actions taken in between receiving the ES_EVENT_TYPE_AUTH_EXEC message and authorizing it).Am I missing something? We cannot use the caching mechanism, untill we know what actually is being cached - if executable is changed, is cache invalidated? For Anti-virus/security products, this is kind of crucial.