Index: sbin/dumpon/dumpon.c
===================================================================
--- sbin/dumpon/dumpon.c
+++ sbin/dumpon/dumpon.c
@@ -75,6 +75,9 @@
 #include <netinet/netdump/netdump.h>
 
 #ifdef HAVE_CRYPTO
+#include <libcasper.h>
+#include <casper/cap_sysctl.h>
+
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/rand.h>
@@ -82,6 +85,11 @@
 #endif
 
 static int	verbose;
+static const char *sysctlname = "kern.shutdown.dumpdevname";
+
+#ifdef HAVE_CRYPTO
+static cap_channel_t *capsysctl;
+#endif
 
 static void _Noreturn
 usage(void)
@@ -212,6 +220,8 @@
 static void
 genkey(const char *pubkeyfile, struct diocskerneldump_arg *kdap)
 {
+	cap_channel_t *capcas;
+	void *caplimit;
 	FILE *fp;
 	RSA *pubkey;
 
@@ -237,8 +247,17 @@
 	}
 #endif
 
-	if (caph_enter() < 0)
+	capcas = cap_init();
+	if (capcas == NULL || caph_enter_casper() < 0)
 		err(1, "Unable to enter capability mode");
+	capsysctl = cap_service_open(capcas, "system.sysctl");
+	if (capsysctl == NULL)
+		err(1, "Unable to open system.sysctl service");
+	cap_close(capcas);
+	caplimit = cap_sysctl_limit_init(capsysctl);
+	(void)cap_sysctl_limit_name(caplimit, sysctlname, CAP_SYSCTL_READ);
+	if (cap_sysctl_limit(caplimit) < 0)
+		err(1, "Unable to set system.sysctl limits");
 
 	pubkey = RSA_new();
 	if (pubkey == NULL) {
@@ -315,11 +334,10 @@
 	char dumpdev[PATH_MAX];
 	struct diocskerneldump_arg ndconf;
 	size_t len;
-	const char *sysctlname = "kern.shutdown.dumpdevname";
 	int fd;
 
 	len = sizeof(dumpdev);
-	if (sysctlbyname(sysctlname, &dumpdev, &len, NULL, 0) != 0) {
+	if (cap_sysctlbyname(capsysctl, sysctlname, &dumpdev, &len, NULL, 0) != 0) {
 		if (errno == ENOMEM) {
 			err(EX_OSERR, "Kernel returned too large of a buffer for '%s'\n",
 				sysctlname);