Switch to using the inpcb MAC label instead of socket MAC label when

labeling new mbufs created from sockets/inpcbs in IPv4.  This helps avoid
the need for socket layer locking in the lower level network paths
where inpcb locks are already frequently held where needed.  In
particular:

- Use the inpcb for label instead of socket in raw_append().
- Use the inpcb for label instead of socket in tcp_output().
- Use the inpcb for label instead of socket in tcp_respond().
- Use the inpcb for label instead of socket in tcp_twrespond().
- Use the inpcb for label instead of socket in syncache_respond().

While here, modify tcp_respond() to avoid assigning NULL to a stack
variable and centralize assertions about the inpcb when inp is
assigned.

Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, McAfee Research

sys/netinet/raw_ip.c

@@ -248,7 +248,9 @@ rip_output(struct mbuf *m, struct socket *so, u_long dst)
 	int flags = (so->so_options & SO_DONTROUTE) | IP_ALLOWBROADCAST;
 
 #ifdef MAC
-	mac_create_mbuf_from_socket(so, m);
+	INP_LOCK(inp);
+	mac_create_mbuf_from_inpcb(inp, m);
+	INP_UNLOCK(inp);
 #endif
 
 	/*

sys/netinet/tcp_output.c

@@ -692,7 +692,7 @@ tcp_output(struct tcpcb *tp)
 	}
 	m->m_pkthdr.rcvif = (struct ifnet *)0;
 #ifdef MAC
-	mac_create_mbuf_from_socket(so, m);
+	mac_create_mbuf_from_inpcb(tp->t_inpcb, m);
 #endif
 #ifdef INET6
 	if (isipv6) {

sys/netinet/tcp_subr.c

@@ -412,7 +412,7 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags)
 	int isipv6;
 #endif /* INET6 */
 	int ipflags = 0;
-	struct inpcb *inp = NULL;
+	struct inpcb *inp;
 
 	KASSERT(tp != NULL || m != NULL, ("tcp_respond: tp and m both NULL"));
 
@@ -427,6 +427,10 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags)
 		KASSERT(inp != NULL, ("tcp control block w/o inpcb"));
 		INP_INFO_WLOCK_ASSERT(&tcbinfo);
 		INP_LOCK_ASSERT(inp);
+	} else
+		inp = NULL;
+
+	if (tp != NULL) {
 		if (!(flags & TH_RST)) {
 			win = sbspace(&inp->inp_socket->so_rcv);
 			if (win > (long)TCP_MAXWIN << tp->rcv_scale)
@@ -509,7 +513,8 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags)
 		 * Packet is associated with a socket, so allow the
 		 * label of the response to reflect the socket label.
 		 */
-		mac_create_mbuf_from_socket(inp->inp_socket, m);
+		INP_LOCK_ASSERT(inp);
+		mac_create_mbuf_from_inpcb(inp, m);
 	} else {
 		/*
 		 * Packet is not associated with a socket, so possibly

sys/netinet/tcp_syncache.c

@@ -1131,7 +1131,7 @@ syncache_respond(sc, m)
 	inp = sc->sc_tp->t_inpcb;
 	INP_LOCK(inp);
 #ifdef MAC
-	mac_create_mbuf_from_socket(inp->inp_socket, m);
+	mac_create_mbuf_from_inpcb(inp, m);
 #endif
 
 #ifdef INET6

sys/netinet/tcp_timewait.c

@@ -412,7 +412,7 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags)
 	int isipv6;
 #endif /* INET6 */
 	int ipflags = 0;
-	struct inpcb *inp = NULL;
+	struct inpcb *inp;
 
 	KASSERT(tp != NULL || m != NULL, ("tcp_respond: tp and m both NULL"));
 
@@ -427,6 +427,10 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags)
 		KASSERT(inp != NULL, ("tcp control block w/o inpcb"));
 		INP_INFO_WLOCK_ASSERT(&tcbinfo);
 		INP_LOCK_ASSERT(inp);
+	} else
+		inp = NULL;
+
+	if (tp != NULL) {
 		if (!(flags & TH_RST)) {
 			win = sbspace(&inp->inp_socket->so_rcv);
 			if (win > (long)TCP_MAXWIN << tp->rcv_scale)
@@ -509,7 +513,8 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags)
 		 * Packet is associated with a socket, so allow the
 		 * label of the response to reflect the socket label.
 		 */
-		mac_create_mbuf_from_socket(inp->inp_socket, m);
+		INP_LOCK_ASSERT(inp);
+		mac_create_mbuf_from_inpcb(inp, m);
 	} else {
 		/*
 		 * Packet is not associated with a socket, so possibly

sys/netinet/udp_usrreq.c

@@ -728,7 +728,7 @@ udp_output(inp, m, addr, control, td)
 
 	INP_LOCK_ASSERT(inp);
 #ifdef MAC
-	mac_create_mbuf_from_socket(inp->inp_socket, m);
+	mac_create_mbuf_from_inpcb(inp, m);
 #endif
 
 	if (len + sizeof(struct udpiphdr) > IP_MAXPACKET) {