I will do it, thanks a lot! @eskimo. Btw: I feel there is a security concern if a process is muted by path, let's say if I muted a trusted process by path, however, the process might be replaced by a totally different one with the same path, then the events of the "new" one also are muted, right?

Agree with you, thanks @eskimo. Btw: FB9726842 for your reference.

Thanks a lot, @eskimo. The issue was found on macOS 10.15, let me test it on the latest macOS.

@eskimo, more findings, if NSTask is launched successfully, then there is no leak. The leak happens when failed to launch task or not to launch task.

Hi @eskimo, please refer to FB11991632.

Yes, @eskimo. I enabled the ARC.

Thanks @eskimo, I see the main issue in both production(activate system extension again during the upgrade product) and developer machines(can reproduce by multiple activations). And both log of sysextd and nesessionmanager to show the system extension should be launched, but not. Btw, I noticed that if I activate system extension multiple times, the old ones would be terminated by sysextd, so looks no need to do deactivation before activate it?

Thanks @eskimo. I actually used a GUI app in response to user actions indeed.

Thanks, @eskimo. So that means daemons do not have ATS restrictions when using HTTP, right? Actually, I encountered the error message 'The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.' while using NSURLSession to access a website via HTTP from my daemon on macOS 11. Interestingly, I cannot reproduce the same issue on macOS 12 and 13. It appears to be a bug specific to macOS 11?

https://developer.apple.com/documentation/devicemanagement/privacypreferencespolicycontrol/services?language=objc, it should be supported in MDM.