Gandi has a need for per-thread credential api for a userspace file server. This idea isn't new as it was proposed by Isilon and a design was drafted here: https://wiki.freebsd.org/Per-Thread%20Credentials . This differential implements this design.
Interaction with other parts: These syscalls may only be called by priviledged processes, the tainted threads will necessarily be "dropping" privileges from the process, so all cred checks (cansched, candebug, cansee, etc) will be less permissive for the tainted threads.
Process tainting: at the moment, tainting a thread will taint the containing process, to comply with issetugid(2). However there is no way to untaint a process once setcred(2) has been called because this would mean having to check every thread. A solution to this would be to add a per-process counter of tainted threads and only untaint the process iff the counter hits 0.
Jails: Tainted threads inherit prisons from the containing process, I'm not familiar with the jail internals in the kernel but as far as I can tell the existing mechanisms with processes should hold.
Auditing: a PR has been opened with the openbsm project here to reserve event numbers 4326[3-5]. I've also added some code in sys/security/audit/audit_bsm.c to encode arguments.
For visibility, I added the new information to ddb. Specifically the ps command now displays the thread in the UID column if the thread is tainted (used to be empty space), and a more complete breakdown with all the GIDs is available with show thread ... command.