ebpf: delete expired exec events from cache

Whenever a process exits, we delete the corresponding entry from
cache.

But when a process executes a new process (sh -c ls), we receive an
exit event for the parent, while the child continues working with *the
same PID*. Sometimes we don't receive exit events for the child, so the
entry was never removed from cache.

We should properly detect the exits, but forthe time being, delete
expired processes from cache every minute.

daemon/procmon/ebpf/cache.go

@@ -64,6 +64,17 @@ func (e *eventsStore) delete(key uint64) {
 	delete(e.execEvents, key)
 }
 
+func (e *eventsStore) DeleteOldItems() {
+	e.Lock()
+	defer e.Unlock()
+
+	for k, item := range e.execEvents {
+		if item.Proc.IsAlive() == false {
+			delete(e.execEvents, k)
+		}
+	}
+}
+
 //-----------------------------------------------------------------------------
 
 type ebpfCacheItem struct {

daemon/procmon/ebpf/monitor.go

@@ -39,6 +39,7 @@ func monitorCache() {
 			goto Exit
 		case <-ebpfCacheTicker.C:
 			ebpfCache.DeleteOldItems()
+			execEvents.DeleteOldItems()
 		}
 	}
 Exit: