This part seems reasonable to me; in my earlier poking at capsicumizing ELF Tool Chain components I had __FreeBSD_version blocks for both sys/capsicum.h and sys/capability.h but since stable/10 and 10.3 have capsicum.h there's not much point in the extra cruft.

I would probably put a comment though to give a hint as to why this is like this, along the lines of

if __FreeBSD_version > 1001510 /* Header renamed to sys/capsicum.h */

You still need the define. We support bootstrapping from 9.x and although sys/capsicum.h exists there, most of the interface that this change uses is not present there.

So there *IS* a point to the extra cruft.

Not talking about getting rid of this define, just not adding extra cruft to use capsicum on systems < 1001511.

The extra cruft that does not have a point would be something like:

#if __FreeBSD_version > 900000
#define ELFTC_HAVE_CAPSICUM 1
#if __FreeBSD_version > 1001510
#define HEADER_IS_CAPSICUM_H 1
#else
#define HEADER_IS_CAPABILITY_H 1
#endif
#endif

Also, fully into bikeshed territory: >= 1001511 is probably more obvious.

I think a better path forward is the libegacy one we talked about on IRC...

But it all depends on what upstream wants to do since they have support for FreeBSD < 9 later in the file...

That is, the extra cruft that I think is not worthwhile is that cruft to handle the header being named sys/capability.h in 9.x and 10.x prior to 10.3, not sys/capsicum.h.

I want to keep this identical to upstream, and upstream must of course build without Capsicum for other operating systems; I'm happy with that applying to FreeBSD < 10.3 as well.