diff --git a/GPL/Events/File/Probe.bpf.c b/GPL/Events/File/Probe.bpf.c index 7beb4d66..556cf532 100644 --- a/GPL/Events/File/Probe.bpf.c +++ b/GPL/Events/File/Probe.bpf.c @@ -123,7 +123,7 @@ static int vfs_unlink__exit(int ret) } event->hdr.type = EBPF_EVENT_FILE_DELETE; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->pids, task); ebpf_cred_info__fill(&event->creds, task); @@ -228,7 +228,7 @@ static void prepare_and_send_file_event(struct file *f, return; event->hdr.type = type; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); struct task_struct *task = (struct task_struct *)bpf_get_current_task(); struct path p = BPF_CORE_READ(f, f_path); @@ -483,7 +483,7 @@ static int vfs_rename__exit(int ret) struct dentry *de = (struct dentry *)state->rename.de; event->hdr.type = EBPF_EVENT_FILE_RENAME; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->pids, task); ebpf_cred_info__fill(&event->creds, task); event->mntns = mntns(task); @@ -551,7 +551,7 @@ static void file_modify_event__emit(enum ebpf_file_change_type typ, struct path } event->hdr.type = EBPF_EVENT_FILE_MODIFY; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); event->change_type = typ; ebpf_pid_info__fill(&event->pids, task); ebpf_cred_info__fill(&event->creds, task); diff --git a/GPL/Events/Network/Probe.bpf.c b/GPL/Events/Network/Probe.bpf.c index dedb11af..f0f151f4 100644 --- a/GPL/Events/Network/Probe.bpf.c +++ b/GPL/Events/Network/Probe.bpf.c @@ -121,7 +121,7 @@ static int udp_skb_handle(struct sk_buff *skb, enum ebpf_net_udp_info evt_type) struct task_struct *task = (struct task_struct *)bpf_get_current_task(); ebpf_pid_info__fill(&event->pids, task); bpf_get_current_comm(event->comm, TASK_COMM_LEN); - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); // constrain the read size to make the verifier happy // see skb_headlen() in skbuff.h diff --git a/GPL/Events/Process/Probe.bpf.c b/GPL/Events/Process/Probe.bpf.c index ef509577..5da18756 100644 --- a/GPL/Events/Process/Probe.bpf.c +++ b/GPL/Events/Process/Probe.bpf.c @@ -53,7 +53,7 @@ int BPF_PROG(sched_process_fork, const struct task_struct *parent, const struct goto out; event->hdr.type = EBPF_EVENT_PROCESS_FORK; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->parent_pids, parent); ebpf_pid_info__fill(&event->child_pids, child); ebpf_cred_info__fill(&event->creds, parent); @@ -103,7 +103,7 @@ int BPF_PROG(sched_process_exec, goto out; event->hdr.type = EBPF_EVENT_PROCESS_EXEC; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->pids, task); ebpf_cred_info__fill(&event->creds, task); @@ -199,7 +199,7 @@ static int taskstats_exit__enter(const struct task_struct *task, int group_dead) goto out; event->hdr.type = EBPF_EVENT_PROCESS_EXIT; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); // The exit _status_ is stored in the second byte of task->exit_code int exit_code = BPF_CORE_READ(task, exit_code); @@ -255,7 +255,7 @@ int tracepoint_syscalls_sys_exit_setsid(struct syscall_trace_exit *args) goto out; event->hdr.type = EBPF_EVENT_PROCESS_SETSID; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->pids, task); @@ -281,7 +281,7 @@ int BPF_PROG(module_load, struct module *mod) goto out; event->hdr.type = EBPF_EVENT_PROCESS_LOAD_MODULE; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->pids, task); @@ -351,7 +351,7 @@ int BPF_KPROBE(kprobe__ptrace_attach, goto out; event->hdr.type = EBPF_EVENT_PROCESS_PTRACE; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->pids, task); @@ -391,7 +391,7 @@ int tracepoint_syscalls_sys_enter_shmget(struct syscall_trace_enter *ctx) goto out; event->hdr.type = EBPF_EVENT_PROCESS_SHMGET; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->pids, task); event->key = ex_args->key; @@ -431,7 +431,7 @@ int tracepoint_syscalls_sys_enter_memfd_create(struct syscall_trace_enter *ctx) goto out; event->hdr.type = EBPF_EVENT_PROCESS_MEMFD_CREATE; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); event->flags = ex_args->flags; ebpf_pid_info__fill(&event->pids, task); @@ -473,7 +473,7 @@ static int commit_creds__enter(struct cred *new) goto out; event->hdr.type = EBPF_EVENT_PROCESS_SETUID; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->pids, task); @@ -498,7 +498,7 @@ static int commit_creds__enter(struct cred *new) goto out; event->hdr.type = EBPF_EVENT_PROCESS_SETGID; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->pids, task); @@ -543,7 +543,7 @@ static int output_tty_event(struct ebpf_tty_dev *slave, const void *base, size_t task = (struct task_struct *)bpf_get_current_task(); event->hdr.type = EBPF_EVENT_PROCESS_TTY_WRITE; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); u64 len_cap = base_len > TTY_OUT_MAX ? TTY_OUT_MAX : base_len; event->tty_out_truncated = base_len > TTY_OUT_MAX ? base_len - TTY_OUT_MAX : 0; event->tty = *slave;