From c0b0f1d6c5bdeff73e7e84dc799c4009f18608c4 Mon Sep 17 00:00:00 2001 From: Nicholas Berlin Date: Tue, 5 Nov 2024 14:21:28 -0500 Subject: [PATCH] Use bpf_ktime_get_boot_ns instead bpf_ktime_get_ns does not include suspension time, but we would like ts to represent real world time. Switching the helper function achieves that. The helper was introduced in 5.8 which is earlier than our current support range, 5.10 --- GPL/Events/File/Probe.bpf.c | 8 ++++---- GPL/Events/Network/Probe.bpf.c | 2 +- GPL/Events/Process/Probe.bpf.c | 22 +++++++++++----------- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/GPL/Events/File/Probe.bpf.c b/GPL/Events/File/Probe.bpf.c index 7beb4d66..556cf532 100644 --- a/GPL/Events/File/Probe.bpf.c +++ b/GPL/Events/File/Probe.bpf.c @@ -123,7 +123,7 @@ static int vfs_unlink__exit(int ret) } event->hdr.type = EBPF_EVENT_FILE_DELETE; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->pids, task); ebpf_cred_info__fill(&event->creds, task); @@ -228,7 +228,7 @@ static void prepare_and_send_file_event(struct file *f, return; event->hdr.type = type; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); struct task_struct *task = (struct task_struct *)bpf_get_current_task(); struct path p = BPF_CORE_READ(f, f_path); @@ -483,7 +483,7 @@ static int vfs_rename__exit(int ret) struct dentry *de = (struct dentry *)state->rename.de; event->hdr.type = EBPF_EVENT_FILE_RENAME; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->pids, task); ebpf_cred_info__fill(&event->creds, task); event->mntns = mntns(task); @@ -551,7 +551,7 @@ static void file_modify_event__emit(enum ebpf_file_change_type typ, struct path } event->hdr.type = EBPF_EVENT_FILE_MODIFY; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); event->change_type = typ; ebpf_pid_info__fill(&event->pids, task); ebpf_cred_info__fill(&event->creds, task); diff --git a/GPL/Events/Network/Probe.bpf.c b/GPL/Events/Network/Probe.bpf.c index dedb11af..f0f151f4 100644 --- a/GPL/Events/Network/Probe.bpf.c +++ b/GPL/Events/Network/Probe.bpf.c @@ -121,7 +121,7 @@ static int udp_skb_handle(struct sk_buff *skb, enum ebpf_net_udp_info evt_type) struct task_struct *task = (struct task_struct *)bpf_get_current_task(); ebpf_pid_info__fill(&event->pids, task); bpf_get_current_comm(event->comm, TASK_COMM_LEN); - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); // constrain the read size to make the verifier happy // see skb_headlen() in skbuff.h diff --git a/GPL/Events/Process/Probe.bpf.c b/GPL/Events/Process/Probe.bpf.c index ef509577..5da18756 100644 --- a/GPL/Events/Process/Probe.bpf.c +++ b/GPL/Events/Process/Probe.bpf.c @@ -53,7 +53,7 @@ int BPF_PROG(sched_process_fork, const struct task_struct *parent, const struct goto out; event->hdr.type = EBPF_EVENT_PROCESS_FORK; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->parent_pids, parent); ebpf_pid_info__fill(&event->child_pids, child); ebpf_cred_info__fill(&event->creds, parent); @@ -103,7 +103,7 @@ int BPF_PROG(sched_process_exec, goto out; event->hdr.type = EBPF_EVENT_PROCESS_EXEC; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->pids, task); ebpf_cred_info__fill(&event->creds, task); @@ -199,7 +199,7 @@ static int taskstats_exit__enter(const struct task_struct *task, int group_dead) goto out; event->hdr.type = EBPF_EVENT_PROCESS_EXIT; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); // The exit _status_ is stored in the second byte of task->exit_code int exit_code = BPF_CORE_READ(task, exit_code); @@ -255,7 +255,7 @@ int tracepoint_syscalls_sys_exit_setsid(struct syscall_trace_exit *args) goto out; event->hdr.type = EBPF_EVENT_PROCESS_SETSID; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->pids, task); @@ -281,7 +281,7 @@ int BPF_PROG(module_load, struct module *mod) goto out; event->hdr.type = EBPF_EVENT_PROCESS_LOAD_MODULE; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->pids, task); @@ -351,7 +351,7 @@ int BPF_KPROBE(kprobe__ptrace_attach, goto out; event->hdr.type = EBPF_EVENT_PROCESS_PTRACE; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->pids, task); @@ -391,7 +391,7 @@ int tracepoint_syscalls_sys_enter_shmget(struct syscall_trace_enter *ctx) goto out; event->hdr.type = EBPF_EVENT_PROCESS_SHMGET; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->pids, task); event->key = ex_args->key; @@ -431,7 +431,7 @@ int tracepoint_syscalls_sys_enter_memfd_create(struct syscall_trace_enter *ctx) goto out; event->hdr.type = EBPF_EVENT_PROCESS_MEMFD_CREATE; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); event->flags = ex_args->flags; ebpf_pid_info__fill(&event->pids, task); @@ -473,7 +473,7 @@ static int commit_creds__enter(struct cred *new) goto out; event->hdr.type = EBPF_EVENT_PROCESS_SETUID; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->pids, task); @@ -498,7 +498,7 @@ static int commit_creds__enter(struct cred *new) goto out; event->hdr.type = EBPF_EVENT_PROCESS_SETGID; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); ebpf_pid_info__fill(&event->pids, task); @@ -543,7 +543,7 @@ static int output_tty_event(struct ebpf_tty_dev *slave, const void *base, size_t task = (struct task_struct *)bpf_get_current_task(); event->hdr.type = EBPF_EVENT_PROCESS_TTY_WRITE; - event->hdr.ts = bpf_ktime_get_ns(); + event->hdr.ts = bpf_ktime_get_boot_ns(); u64 len_cap = base_len > TTY_OUT_MAX ? TTY_OUT_MAX : base_len; event->tty_out_truncated = base_len > TTY_OUT_MAX ? base_len - TTY_OUT_MAX : 0; event->tty = *slave;