Index: usr.sbin/bhyve/Makefile
===================================================================
--- usr.sbin/bhyve/Makefile
+++ usr.sbin/bhyve/Makefile
@@ -73,6 +73,11 @@
 
 LIBADD=	vmmapi md pthread z util sbuf cam
 
+.if ${MK_CASPER} != "no"
+CFLAGS+=	-DWITH_CASPER
+LIBADD+=	casper cap_fileargs
+.endif
+
 .if ${MK_INET_SUPPORT} != "no"
 CFLAGS+=-DINET
 .endif
Index: usr.sbin/bhyve/bhyverun.c
===================================================================
--- usr.sbin/bhyve/bhyverun.c
+++ usr.sbin/bhyve/bhyverun.c
@@ -32,9 +32,6 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
-#ifndef WITHOUT_CAPSICUM
-#include <sys/capsicum.h>
-#endif
 #include <sys/mman.h>
 #include <sys/time.h>
 
@@ -43,9 +40,6 @@
 #include <machine/atomic.h>
 #include <machine/segments.h>
 
-#ifndef WITHOUT_CAPSICUM
-#include <capsicum_helpers.h>
-#endif
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -54,7 +48,7 @@
 #include <libgen.h>
 #include <unistd.h>
 #include <assert.h>
-#include <errno.h>
+#include <capsicum_helpers.h>
 #include <pthread.h>
 #include <pthread_np.h>
 #include <sysexits.h>
@@ -904,11 +898,9 @@
 	struct vmctx *ctx;
 	int error;
 	bool reinit, romboot;
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_t rights;
 	const cap_ioctl_t *cmds;	
 	size_t ncmds;
-#endif
 
 	reinit = romboot = false;
 
@@ -947,20 +939,17 @@
 		exit(4);
 	}
 
-#ifndef WITHOUT_CAPSICUM
+	/* Apply capsicum */
 	cap_rights_init(&rights, CAP_IOCTL, CAP_MMAP_RW);
-	if (cap_rights_limit(vm_get_device_fd(ctx), &rights) == -1 &&
-	    errno != ENOSYS)
+	if (cap_rights_limit(vm_get_device_fd(ctx), &rights) < 0) 
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
 	vm_get_ioctls(&ncmds);
 	cmds = vm_get_ioctls(NULL);
 	if (cmds == NULL)
 		errx(EX_OSERR, "out of memory");
-	if (cap_ioctls_limit(vm_get_device_fd(ctx), cmds, ncmds) == -1 &&
-	    errno != ENOSYS)
+	if (cap_ioctls_limit(vm_get_device_fd(ctx), cmds, ncmds) < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
 	free((cap_ioctl_t *)cmds);
-#endif
  
 	if (reinit) {
 		error = vm_reinit(ctx);
@@ -1201,15 +1190,13 @@
 	 */
 	setproctitle("%s", vmname);
 
-#ifndef WITHOUT_CAPSICUM
+	/* Apply capsicum */
 	caph_cache_catpages();
 
-	if (caph_limit_stdout() == -1 || caph_limit_stderr() == -1)
+	if (caph_limit_stdout() < 0 || caph_limit_stderr() < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
-
-	if (caph_enter() == -1)
+	if (caph_enter() < 0)
 		errx(EX_OSERR, "cap_enter() failed");
-#endif
 
 	/*
 	 * Add CPU 0
Index: usr.sbin/bhyve/block_if.c
===================================================================
--- usr.sbin/bhyve/block_if.c
+++ usr.sbin/bhyve/block_if.c
@@ -32,9 +32,6 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
-#ifndef WITHOUT_CAPSICUM
-#include <sys/capsicum.h>
-#endif
 #include <sys/queue.h>
 #include <sys/errno.h>
 #include <sys/stat.h>
@@ -42,6 +39,7 @@
 #include <sys/disk.h>
 
 #include <assert.h>
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <fcntl.h>
 #include <stdio.h>
@@ -406,10 +404,8 @@
 	off_t size, psectsz, psectoff;
 	int extra, fd, i, sectsz;
 	int nocache, sync, ro, candelete, geom, ssopt, pssopt;
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_t rights;
 	cap_ioctl_t cmds[] = { DIOCGFLUSH, DIOCGDELETE };
-#endif
 
 	pthread_once(&blockif_once, blockif_init);
 
@@ -467,15 +463,13 @@
 		goto err;
         }
 
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_init(&rights, CAP_FSYNC, CAP_IOCTL, CAP_READ, CAP_SEEK,
 	    CAP_WRITE);
 	if (ro)
 		cap_rights_clear(&rights, CAP_FSYNC, CAP_WRITE);
 
-	if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
+	if (cap_rights_limit(fd, &rights) < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
-#endif
 
         /*
 	 * Deal with raw devices
@@ -503,10 +497,8 @@
 	} else
 		psectsz = sbuf.st_blksize;
 
-#ifndef WITHOUT_CAPSICUM
-	if (cap_ioctls_limit(fd, cmds, nitems(cmds)) == -1 && errno != ENOSYS)
+	if (cap_ioctls_limit(fd, cmds, nitems(cmds)) < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
-#endif
 
 	if (ssopt != 0) {
 		if (!powerof2(ssopt) || !powerof2(pssopt) || ssopt < 512 ||
Index: usr.sbin/bhyve/consport.c
===================================================================
--- usr.sbin/bhyve/consport.c
+++ usr.sbin/bhyve/consport.c
@@ -32,11 +32,9 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
-#ifndef WITHOUT_CAPSICUM
-#include <sys/capsicum.h>
-#endif
 #include <sys/select.h>
 
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <errno.h>
 #include <stdio.h>
@@ -112,10 +110,8 @@
 		uint32_t *eax, void *arg)
 {
 	static int opened;
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_t rights;
 	cap_ioctl_t cmds[] = { TIOCGETA, TIOCSETA, TIOCGWINSZ };
-#endif
 
 	if (bytes == 2 && in) {
 		*eax = BVM_CONS_SIG;
@@ -135,16 +131,12 @@
 		return (-1);
 
 	if (!opened) {
-#ifndef WITHOUT_CAPSICUM
 		cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ,
 		    CAP_WRITE);
-		if (cap_rights_limit(STDIN_FILENO, &rights) == -1 &&
-		    errno != ENOSYS)
+		if (cap_rights_limit(STDIN_FILENO, &rights) < 0)
 			errx(EX_OSERR, "Unable to apply rights for sandbox");
-		if (cap_ioctls_limit(STDIN_FILENO, cmds, nitems(cmds)) == -1 &&
-		    errno != ENOSYS)
+		if (cap_ioctls_limit(STDIN_FILENO, cmds, nitems(cmds)) < 0)
 			errx(EX_OSERR, "Unable to apply rights for sandbox");
-#endif
 		ttyopen();
 		opened = 1;
 	}
Index: usr.sbin/bhyve/dbgport.c
===================================================================
--- usr.sbin/bhyve/dbgport.c
+++ usr.sbin/bhyve/dbgport.c
@@ -32,14 +32,12 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
-#ifndef WITHOUT_CAPSICUM
-#include <sys/capsicum.h>
-#endif
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <netinet/tcp.h>
 #include <sys/uio.h>
 
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -132,9 +130,7 @@
 init_dbgport(int sport)
 {
 	int reuse;
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_t rights;
-#endif
 
 	conn_fd = -1;
 
@@ -165,11 +161,9 @@
 		exit(4);
 	}
 
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_init(&rights, CAP_ACCEPT, CAP_READ, CAP_WRITE);
-	if (cap_rights_limit(listen_fd, &rights) == -1 && errno != ENOSYS)
+	if (cap_rights_limit(listen_fd, &rights) < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
-#endif
 
 	register_inout(&dbgport);
 }
Index: usr.sbin/bhyve/gdb.c
===================================================================
--- usr.sbin/bhyve/gdb.c
+++ usr.sbin/bhyve/gdb.c
@@ -30,9 +30,6 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
-#ifndef WITHOUT_CAPSICUM
-#include <sys/capsicum.h>
-#endif
 #include <sys/ioctl.h>
 #include <sys/mman.h>
 #include <sys/socket.h>
@@ -41,9 +38,7 @@
 #include <machine/vmm.h>
 #include <netinet/in.h>
 #include <assert.h>
-#ifndef WITHOUT_CAPSICUM
 #include <capsicum_helpers.h>
-#endif
 #include <err.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -166,13 +161,11 @@
 		logfile = fopen("/tmp/bhyve_gdb.log", "w");
 		if (logfile == NULL)
 			return;
-#ifndef WITHOUT_CAPSICUM
-		if (caph_limit_stream(fileno(logfile), CAPH_WRITE) == -1) {
+		if (caph_limit_stream(fileno(logfile), CAPH_WRITE) < 0) {
 			fclose(logfile);
 			logfile = NULL;
 			return;
 		}
-#endif
 		setlinebuf(logfile);
 	}
 	va_start(ap, fmt);
@@ -1243,7 +1236,7 @@
 	pthread_mutex_unlock(&gdb_lock);
 }
 
-#ifndef WITHOUT_CAPSICUM
+/* Apply capsicum */
 void
 limit_gdb_socket(int s)
 {
@@ -1252,12 +1245,11 @@
 
 	cap_rights_init(&rights, CAP_ACCEPT, CAP_EVENT, CAP_READ, CAP_WRITE,
 	    CAP_SETSOCKOPT, CAP_IOCTL);
-	if (cap_rights_limit(s, &rights) == -1 && errno != ENOSYS)
+	if (cap_rights_limit(s, &rights) < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
-	if (cap_ioctls_limit(s, ioctls, nitems(ioctls)) == -1 && errno != ENOSYS)
+	if (cap_ioctls_limit(s, ioctls, nitems(ioctls)) < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
 }
-#endif
 
 void
 init_gdb(struct vmctx *_ctx, int sport, bool wait)
@@ -1306,8 +1298,6 @@
 	if (fcntl(s, F_SETFL, flags | O_NONBLOCK) == -1)
 		err(1, "Failed to mark gdb socket non-blocking");
 
-#ifndef WITHOUT_CAPSICUM
 	limit_gdb_socket(s);
-#endif
 	mevent_add(s, EVF_READ, new_connection, NULL);
 }
Index: usr.sbin/bhyve/mevent.c
===================================================================
--- usr.sbin/bhyve/mevent.c
+++ usr.sbin/bhyve/mevent.c
@@ -37,6 +37,7 @@
 __FBSDID("$FreeBSD$");
 
 #include <assert.h>
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <errno.h>
 #include <stdlib.h>
@@ -46,9 +47,6 @@
 #include <unistd.h>
 
 #include <sys/types.h>
-#ifndef WITHOUT_CAPSICUM
-#include <sys/capsicum.h>
-#endif
 #include <sys/event.h>
 #include <sys/time.h>
 
@@ -408,9 +406,7 @@
 	int mfd;
 	int numev;
 	int ret;
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_t rights;
-#endif
 
 	mevent_tid = pthread_self();
 	mevent_set_name();
@@ -418,11 +414,9 @@
 	mfd = kqueue();
 	assert(mfd > 0);
 
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_init(&rights, CAP_KQUEUE);
-	if (cap_rights_limit(mfd, &rights) == -1 && errno != ENOSYS)
+	if (cap_rights_limit(mfd, &rights) < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
-#endif
 
 	/*
 	 * Open the pipe that will be used for other threads to force
@@ -435,13 +429,11 @@
 		exit(0);
 	}
 
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_init(&rights, CAP_EVENT, CAP_READ, CAP_WRITE);
-	if (cap_rights_limit(mevent_pipefd[0], &rights) == -1 && errno != ENOSYS)
+	if (cap_rights_limit(mevent_pipefd[0], &rights) < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
-	if (cap_rights_limit(mevent_pipefd[1], &rights) == -1 && errno != ENOSYS)
+	if (cap_rights_limit(mevent_pipefd[1], &rights) < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
-#endif
 
 	/*
 	 * Add internal event handler for the pipe write fd
Index: usr.sbin/bhyve/pci_e82545.c
===================================================================
--- usr.sbin/bhyve/pci_e82545.c
+++ usr.sbin/bhyve/pci_e82545.c
@@ -33,9 +33,6 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/types.h>
-#ifndef WITHOUT_CAPSICUM
-#include <sys/capsicum.h>
-#endif
 #include <sys/limits.h>
 #include <sys/ioctl.h>
 #include <sys/uio.h>
@@ -43,6 +40,7 @@
 #include <netinet/in.h>
 #include <netinet/tcp.h>
 
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -2209,9 +2207,7 @@
 e82545_open_tap(struct e82545_softc *sc, char *opts)
 {
 	char tbuf[80];
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_t rights;
-#endif
 	
 	if (opts == NULL) {
 		sc->esc_tapfd = -1;
@@ -2238,11 +2234,9 @@
 		sc->esc_tapfd = -1;
 	}
 
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_init(&rights, CAP_EVENT, CAP_READ, CAP_WRITE);
-	if (cap_rights_limit(sc->esc_tapfd, &rights) == -1 && errno != ENOSYS)
+	if (cap_rights_limit(sc->esc_tapfd, &rights) < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
-#endif
 	
 	sc->esc_mevp = mevent_add(sc->esc_tapfd,
 				  EVF_READ,
Index: usr.sbin/bhyve/pci_passthru.c
===================================================================
--- usr.sbin/bhyve/pci_passthru.c
+++ usr.sbin/bhyve/pci_passthru.c
@@ -32,9 +32,6 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
-#ifndef WITHOUT_CAPSICUM
-#include <sys/capsicum.h>
-#endif
 #include <sys/types.h>
 #include <sys/mman.h>
 #include <sys/pciio.h>
@@ -45,6 +42,7 @@
 
 #include <machine/iodev.h>
 
+#include <capsicum_helpers.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -646,18 +644,14 @@
 {
 	int bus, slot, func, error, memflags;
 	struct passthru_softc *sc;
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_t rights;
 	cap_ioctl_t pci_ioctls[] = { PCIOCREAD, PCIOCWRITE, PCIOCGETBAR };
 	cap_ioctl_t io_ioctls[] = { IODEV_PIO };
-#endif
 
 	sc = NULL;
 	error = 1;
 
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_init(&rights, CAP_IOCTL, CAP_READ, CAP_WRITE);
-#endif
 
 	memflags = vm_get_memflags(ctx);
 	if (!(memflags & VM_MEM_F_WIRED)) {
@@ -673,12 +667,10 @@
 		}
 	}
 
-#ifndef WITHOUT_CAPSICUM
-	if (cap_rights_limit(pcifd, &rights) == -1 && errno != ENOSYS)
+	if (cap_rights_limit(pcifd, &rights) < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
-	if (cap_ioctls_limit(pcifd, pci_ioctls, nitems(pci_ioctls)) == -1 && errno != ENOSYS)
+	if (cap_ioctls_limit(pcifd, pci_ioctls, nitems(pci_ioctls)) < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
-#endif
 
 	if (iofd < 0) {
 		iofd = open(_PATH_DEVIO, O_RDWR, 0);
@@ -688,12 +680,10 @@
 		}
 	}
 
-#ifndef WITHOUT_CAPSICUM
-	if (cap_rights_limit(iofd, &rights) == -1 && errno != ENOSYS)
+	if (cap_rights_limit(iofd, &rights) < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
-	if (cap_ioctls_limit(iofd, io_ioctls, nitems(io_ioctls)) == -1 && errno != ENOSYS)
+	if (cap_ioctls_limit(iofd, io_ioctls, nitems(io_ioctls)) < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
-#endif
 
 	if (memfd < 0) {
 		memfd = open(_PATH_MEM, O_RDWR, 0);
@@ -703,12 +693,10 @@
 		}
 	}
 
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_clear(&rights, CAP_IOCTL);
 	cap_rights_set(&rights, CAP_MMAP_RW);
-	if (cap_rights_limit(memfd, &rights) == -1 && errno != ENOSYS)
+	if (cap_rights_limit(memfd, &rights) < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
-#endif
 
 	if (opts == NULL ||
 	    sscanf(opts, "%d/%d/%d", &bus, &slot, &func) != 3) {
Index: usr.sbin/bhyve/pci_virtio_console.c
===================================================================
--- usr.sbin/bhyve/pci_virtio_console.c
+++ usr.sbin/bhyve/pci_virtio_console.c
@@ -34,15 +34,13 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
-#ifndef WITHOUT_CAPSICUM
-#include <sys/capsicum.h>
-#endif
 #include <sys/linker_set.h>
 #include <sys/uio.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/un.h>
 
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -276,9 +274,7 @@
 	struct sockaddr_un sun;
 	char *pathcopy;
 	int s = -1, fd = -1, error = 0;
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_t rights;
-#endif
 
 	sock = calloc(1, sizeof(struct pci_vtcon_sock));
 	if (sock == NULL) {
@@ -326,11 +322,9 @@
 		goto out;
 	}
 
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_init(&rights, CAP_ACCEPT, CAP_EVENT, CAP_READ, CAP_WRITE);
 	if (cap_rights_limit(s, &rights) == -1 && errno != ENOSYS)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
-#endif
 
 	sock->vss_port = pci_vtcon_port_add(sc, name, pci_vtcon_sock_tx, sock);
 	if (sock->vss_port == NULL) {
Index: usr.sbin/bhyve/pci_virtio_net.c
===================================================================
--- usr.sbin/bhyve/pci_virtio_net.c
+++ usr.sbin/bhyve/pci_virtio_net.c
@@ -32,9 +32,6 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
-#ifndef WITHOUT_CAPSICUM
-#include <sys/capsicum.h>
-#endif
 #include <sys/linker_set.h>
 #include <sys/select.h>
 #include <sys/uio.h>
@@ -46,6 +43,7 @@
 #endif
 #include <net/netmap_user.h>
 
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -750,9 +748,7 @@
 pci_vtnet_tap_setup(struct pci_vtnet_softc *sc, char *devname)
 {
 	char tbuf[80];
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_t rights;
-#endif
 
 	strcpy(tbuf, "/dev/");
 	strlcat(tbuf, devname, sizeof(tbuf));
@@ -777,11 +773,9 @@
 		sc->vsc_tapfd = -1;
 	}
 
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_init(&rights, CAP_EVENT, CAP_READ, CAP_WRITE);
-	if (cap_rights_limit(sc->vsc_tapfd, &rights) == -1 && errno != ENOSYS)
+	if (cap_rights_limit(sc->vsc_tapfd, &rights) < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
-#endif
 
 	sc->vsc_mevp = mevent_add(sc->vsc_tapfd,
 				  EVF_READ,
Index: usr.sbin/bhyve/pci_virtio_rnd.c
===================================================================
--- usr.sbin/bhyve/pci_virtio_rnd.c
+++ usr.sbin/bhyve/pci_virtio_rnd.c
@@ -37,12 +37,10 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
-#ifndef WITHOUT_CAPSICUM
-#include <sys/capsicum.h>
-#endif
 #include <sys/linker_set.h>
 #include <sys/uio.h>
 
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -145,9 +143,7 @@
 	int fd;
 	int len;
 	uint8_t v;
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_t rights;
-#endif
 
 	/*
 	 * Should always be able to open /dev/random.
@@ -156,11 +152,9 @@
 
 	assert(fd >= 0);
 
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_init(&rights, CAP_READ);
-	if (cap_rights_limit(fd, &rights) == -1 && errno != ENOSYS)
+	if (cap_rights_limit(fd, &rights) < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
-#endif
 
 	/*
 	 * Check that device is seeded and non-blocking.
Index: usr.sbin/bhyve/rfb.c
===================================================================
--- usr.sbin/bhyve/rfb.c
+++ usr.sbin/bhyve/rfb.c
@@ -31,9 +31,6 @@
 __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
-#ifndef WITHOUT_CAPSICUM
-#include <sys/capsicum.h>
-#endif
 #include <sys/endian.h>
 #include <sys/socket.h>
 #include <sys/select.h>
@@ -45,6 +42,7 @@
 #include <netdb.h>
 
 #include <assert.h>
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <errno.h>
 #include <pthread.h>
@@ -967,9 +965,7 @@
 	struct addrinfo *ai;
 	struct addrinfo hints;
 	int on = 1;
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_t rights;
-#endif
 
 	rc = calloc(1, sizeof(struct rfb_softc));
 
@@ -1022,11 +1018,9 @@
 		return (-1);
 	}
 
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_init(&rights, CAP_ACCEPT, CAP_EVENT, CAP_READ, CAP_WRITE);
-	if (cap_rights_limit(rc->sfd, &rights) == -1 && errno != ENOSYS)
+	if (cap_rights_limit(rc->sfd, &rights) < 0)
 		errx(EX_OSERR, "Unable to apply rights for sandbox");
-#endif
 
 	rc->hw_crc = sse42_supported();
 
Index: usr.sbin/bhyve/uart_emul.c
===================================================================
--- usr.sbin/bhyve/uart_emul.c
+++ usr.sbin/bhyve/uart_emul.c
@@ -34,11 +34,8 @@
 
 #include <sys/types.h>
 #include <dev/ic/ns16550.h>
-#ifndef WITHOUT_CAPSICUM
-#include <sys/capsicum.h>
-#include <capsicum_helpers.h>
-#endif
 
+#include <capsicum_helpers.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <assert.h>
@@ -655,10 +652,8 @@
 uart_set_backend(struct uart_softc *sc, const char *opts)
 {
 	int retval;
-#ifndef WITHOUT_CAPSICUM
 	cap_rights_t rights;
 	cap_ioctl_t cmds[] = { TIOCGETA, TIOCSETA, TIOCGWINSZ };
-#endif
 
 	retval = -1;
 
@@ -681,21 +676,18 @@
 		retval = fcntl(sc->tty.fd, F_SETFL, O_NONBLOCK);
 
 	if (retval == 0) {
-#ifndef WITHOUT_CAPSICUM
 		cap_rights_init(&rights, CAP_EVENT, CAP_IOCTL, CAP_READ,
 		    CAP_WRITE);
-		if (cap_rights_limit(sc->tty.fd, &rights) == -1 &&
-		    errno != ENOSYS)
+		if (cap_rights_limit(sc->tty.fd, &rights) < 0)
 			errx(EX_OSERR, "Unable to apply rights for sandbox");
-		if (cap_ioctls_limit(sc->tty.fd, cmds, nitems(cmds)) == -1 &&
-		    errno != ENOSYS)
+		if (cap_ioctls_limit(sc->tty.fd, cmds, nitems(cmds)) < 0)
 			errx(EX_OSERR, "Unable to apply rights for sandbox");
 		if (!uart_stdio) {
-			if (caph_limit_stdin() == -1 && errno != ENOSYS)
+			if (caph_limit_stdin() < 0)
 				errx(EX_OSERR,
 				    "Unable to apply rights for sandbox");
 		}
-#endif
+
 		uart_opentty(sc);
 	}