Index: usr.bin/head/head.c
===================================================================
--- usr.bin/head/head.c
+++ usr.bin/head/head.c
@@ -41,10 +41,13 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
+#include <sys/capsicum.h>
 #include <sys/types.h>
 
+#include <capsicum_helpers.h>
 #include <ctype.h>
 #include <err.h>
+#include <errno.h>
 #include <inttypes.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -95,6 +98,16 @@
 		errx(1, "can't combine line and byte counts");
 	if (linecnt == -1 )
 		linecnt = 10;
+
+	if (caph_limit_stdout() < 0)
+		err(1, "unable to limit rights for stdout");
+
+	/*
+	 * Cache NLS data, for strerror, for err(3), before entering capability
+	 * mode.
+	 */
+	caph_cache_catpages();
+
 	if (*argv) {
 		for (first = 1; *argv; ++argv) {
 			if ((fp = fopen(*argv, "r")) == NULL) {
@@ -102,6 +115,13 @@
 				eval = 1;
 				continue;
 			}
+			if (caph_limit_stream(fileno(fp), CAPH_READ) < 0)
+				err(1, "unable to limit rights for %s", *argv);
+			/* Enter capsicum sandbox for the final input file. */
+			if (argv[1] == NULL) {
+				if (cap_enter() < 0 && errno != ENOSYS)
+					err(1, "unable to enter capability mode");
+			}
 			if (argc > 1) {
 				(void)printf("%s==> %s <==\n",
 				    first ? "" : "\n", *argv);
@@ -113,10 +133,17 @@
 				head_bytes(fp, bytecnt);
 			(void)fclose(fp);
 		}
-	} else if (bytecnt == -1)
-		head(stdin, linecnt);
-	else
-		head_bytes(stdin, bytecnt);
+	} else {
+		if (caph_limit_stream(fileno(stdin), CAPH_READ) < 0)
+			err(1, "unable to limit rights for stdin");
+		if (cap_enter() < 0 && errno != ENOSYS)
+			err(1, "unable to enter capability mode");
+
+		if (bytecnt == -1)
+			head(stdin, linecnt);
+		else
+			head_bytes(stdin, bytecnt);
+	}
 
 	exit(eval);
 }