2

I am using a BPF probe on sys_execve() to log current->start_boottime along with UID, GID, nspid etc. The probe also logs the current time using bpf_ktime_get_ns().

I am logging start_boottime a.k.a. CLOCK_BOOTTIME (and not current->start_time a.k.a CLOCK_MONOTONIC) because I need to compare PID start times with values from /proc/pid/stat which also outputs pid->start_boottime.

How can I get the current time as CLOCK_BOOTTIME from my BPF probe ? bpf_ktime_get_ns() returns CLOCK_MONOTONIC time as documented on kernel.org.

I can use bpf_ktime_get_ns() + (current->start_boottime - current->start_time) but I'm hoping there's a more straightforward way that also works for other probes which don't run in a process context.

bpf_ktime_get_boot_ns() is available but only since linux 5.8.

asked Dec 2, 2025 at 20:23

0

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.