Index: usr.sbin/ctld/kernel.c
===================================================================
--- usr.sbin/ctld/kernel.c
+++ usr.sbin/ctld/kernel.c
@@ -53,6 +53,7 @@
 #include <assert.h>
 #include <bsdxml.h>
 #include <ctype.h>
+#include <capsicum_helpers.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <stdint.h>
@@ -1313,23 +1314,19 @@
 void
 kernel_capsicate(void)
 {
-	int error;
 	cap_rights_t rights;
 	const unsigned long cmds[] = { CTL_ISCSI };
 
+	if (caph_enter() < 0)
+		log_err(1, "cap_enter");
+
 	cap_rights_init(&rights, CAP_IOCTL);
-	error = cap_rights_limit(ctl_fd, &rights);
-	if (error != 0 && errno != ENOSYS)
+	if (cap_rights_limit(ctl_fd, &rights) < 0)
 		log_err(1, "cap_rights_limit");
 
-	error = cap_ioctls_limit(ctl_fd, cmds, nitems(cmds));
-
-	if (error != 0 && errno != ENOSYS)
+	if (cap_ioctls_limit(ctl_fd, cmds, nitems(cmds)) < 0)
 		log_err(1, "cap_ioctls_limit");
 
-	error = cap_enter();
-	if (error != 0 && errno != ENOSYS)
-		log_err(1, "cap_enter");
 
 	if (cap_sandboxed())
 		log_debugx("Capsicum capability mode enabled");
Index: usr.sbin/fstyp/fstyp.c
===================================================================
--- usr.sbin/fstyp/fstyp.c
+++ usr.sbin/fstyp/fstyp.c
@@ -36,6 +36,7 @@
 #include <sys/ioctl.h>
 #include <sys/stat.h>
 #include <err.h>
+#include <capsicum_helpers.h>
 #include <errno.h>
 #include <stdbool.h>
 #include <stddef.h>
@@ -191,8 +192,7 @@
 	if (fp == NULL)
 		err(1, "%s", path);
 
-	error = cap_enter();
-	if (error != 0 && errno != ENOSYS)
+	if (caph_enter() < 0)
 		err(1, "cap_enter");
 
 	if (ignore_type == false)
Index: usr.sbin/iscsid/iscsid.c
===================================================================
--- usr.sbin/iscsid/iscsid.c
+++ usr.sbin/iscsid/iscsid.c
@@ -42,6 +42,7 @@
 #include <sys/capsicum.h>
 #include <sys/wait.h>
 #include <assert.h>
+#include <capsicum_helpers.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <libutil.h>
@@ -349,7 +350,6 @@
 static void
 capsicate(struct connection *conn)
 {
-	int error;
 	cap_rights_t rights;
 #ifdef ICL_KERNEL_PROXY
 	const unsigned long cmds[] = { ISCSIDCONNECT, ISCSIDSEND, ISCSIDRECEIVE,
@@ -359,20 +359,16 @@
 	    ISCSISREMOVE, ISCSISMODIFY };
 #endif
 
+	if (caph_enter() < 0)
+		log_err(1, "cap_enter");
+
 	cap_rights_init(&rights, CAP_IOCTL);
-	error = cap_rights_limit(conn->conn_iscsi_fd, &rights);
-	if (error != 0 && errno != ENOSYS)
+	if (cap_rights_limit(conn->conn_iscsi_fd, &rights) < 0)
 		log_err(1, "cap_rights_limit");
 
-	error = cap_ioctls_limit(conn->conn_iscsi_fd, cmds, nitems(cmds));
-
-	if (error != 0 && errno != ENOSYS)
+	if (cap_ioctls_limit(conn->conn_iscsi_fd, cmds, nitems(cmds)) < 0)
 		log_err(1, "cap_ioctls_limit");
 
-	error = cap_enter();
-	if (error != 0 && errno != ENOSYS)
-		log_err(1, "cap_enter");
-
 	if (cap_sandboxed())
 		log_debugx("Capsicum capability mode enabled");
 	else
Index: usr.sbin/uefisign/child.c
===================================================================
--- usr.sbin/uefisign/child.c
+++ usr.sbin/uefisign/child.c
@@ -38,6 +38,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <assert.h>
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <errno.h>
 #include <stdio.h>
@@ -228,7 +229,6 @@
 child(const char *inpath, const char *outpath, int pipefd,
     bool Vflag, bool vflag)
 {
-	int error;
 	FILE *outfp = NULL, *infp = NULL;
 	struct executable *x;
 
@@ -236,8 +236,7 @@
 	if (outpath != NULL)
 		outfp = checked_fopen(outpath, "w");
 
-	error = cap_enter();
-	if (error != 0 && errno != ENOSYS)
+	if (caph_enter() < 0)
 		err(1, "cap_enter");
 
 	x = calloc(1, sizeof(*x));