DF-0510
Credential bypass via thread0 fallback in socket operations: root creds for all ksocket ops
Summary
3 call sites(:546,:661,:886): td=curthread->td_proc?curthread:&thread0 /* XXX broken */. When netgraph msg processing runs with curthread->td_proc==NULL(kernel threads, softirq, deferred) falls back to thread0=root creds(cr0). td passed to socreate/sobind/solisten/soconnect/sosend/soreceive. PRIV_NET_RAW/SOCK_RAW, PRIV_NET_PRIV_PORT bind<1024, jail address binding, firewall bypass all evaluated against root. Sandbox/jail/capsicum escape via ng_ksocket. Developer comment acknowledges broken. Fix: refuse when td_proc==NULL or store crhold at node creation.