Index: sbin/fsck_msdosfs/Makefile
===================================================================
--- sbin/fsck_msdosfs/Makefile
+++ sbin/fsck_msdosfs/Makefile
@@ -9,7 +9,7 @@
 MAN=	fsck_msdosfs.8
 SRCS=	main.c check.c boot.c fat.c dir.c fsutil.c
 
-CFLAGS+= -I${FSCK} -DHAVE_LIBUTIL_H
+CFLAGS+= -I${FSCK} -DHAVE_LIBUTIL_H -DHAVE_CAPSICUM
 LIBADD=	util
 
 .include <bsd.prog.mk>
Index: sbin/fsck_msdosfs/check.c
===================================================================
--- sbin/fsck_msdosfs/check.c
+++ sbin/fsck_msdosfs/check.c
@@ -33,6 +33,9 @@
   "$FreeBSD$";
 #endif /* not lint */
 
+#ifdef HAVE_CAPSICUM
+#include<capsicum_helpers.h>
+#endif
 #ifdef HAVE_LIBUTIL_H
 #include <libutil.h>
 #endif
@@ -62,6 +65,20 @@
 		printf("** %s", fname);
 
 	dosfs = open(fname, rdonly ? O_RDONLY : O_RDWR, 0);
+
+#ifdef HAVE_CAPSICUM
+	/*
+	 * Here we enter capability mode. Further down access to global
+	 * namespaces (e.g filesystem) is restricted (see capsicum(4)).
+	 * We must connect(2) our socket before this point.
+	 */
+
+	if (caph_enter() < 0) {
+		fprintf(stderr, "caph_enter_casper: %s\n", strerror(errno));
+		exit(1);
+	}
+#endif
+
 	if (dosfs < 0 && !rdonly) {
 		dosfs = open(fname, O_RDONLY, 0);
 		if (dosfs >= 0)