Index: contrib/elftoolchain/common/_elftc.h
===================================================================
--- contrib/elftoolchain/common/_elftc.h
+++ contrib/elftoolchain/common/_elftc.h
@@ -380,6 +380,7 @@
 #define	ELFTC_BYTE_ORDER_LITTLE_ENDIAN		_LITTLE_ENDIAN
 #define	ELFTC_BYTE_ORDER_BIG_ENDIAN		_BIG_ENDIAN
 
+#define	ELFTC_HAVE_CAPSICUM			0
 #define	ELFTC_HAVE_MMAP				1
 #define	ELFTC_HAVE_STRMODE			1
 
@@ -432,6 +433,7 @@
 #define	ELFTC_BYTE_ORDER_LITTLE_ENDIAN		_LITTLE_ENDIAN
 #define	ELFTC_BYTE_ORDER_BIG_ENDIAN		_BIG_ENDIAN
 
+#define	ELFTC_HAVE_CAPSICUM			1
 #define	ELFTC_HAVE_MMAP				1
 #define	ELFTC_HAVE_STRMODE			1
 #if __FreeBSD_version <= 900000
@@ -454,6 +456,7 @@
 #define	ELFTC_BYTE_ORDER_LITTLE_ENDIAN		_LITTLE_ENDIAN
 #define	ELFTC_BYTE_ORDER_BIG_ENDIAN		_BIG_ENDIAN
 
+#define	ELFTC_HAVE_CAPSICUM			0
 #define	ELFTC_HAVE_MMAP				1
 #define	ELFTC_HAVE_STRMODE			1
 #if __NetBSD_Version__ <= 599002100
@@ -473,6 +476,7 @@
 #define	ELFTC_BYTE_ORDER_LITTLE_ENDIAN		_LITTLE_ENDIAN
 #define	ELFTC_BYTE_ORDER_BIG_ENDIAN		_BIG_ENDIAN
 
+#define	ELFTC_HAVE_CAPSICUM			0
 #define	ELFTC_HAVE_MMAP				1
 #define	ELFTC_HAVE_STRMODE			1
 
Index: contrib/elftoolchain/strings/strings.c
===================================================================
--- contrib/elftoolchain/strings/strings.c
+++ contrib/elftoolchain/strings/strings.c
@@ -38,6 +38,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <sysexits.h>
+#include <termios.h>
 #include <unistd.h>
 
 #include <libelf.h>
@@ -46,6 +47,10 @@
 
 #include "_elftc.h"
 
+#if	ELFTC_HAVE_CAPSICUM
+#include <sys/capsicum.h>
+#endif
+
 ELFTC_VCSID("$Id: strings.c 3446 2016-05-03 01:31:17Z emaste $");
 
 enum return_code {
@@ -203,6 +208,39 @@
 	return (rc);
 }
 
+#if	ELFTC_HAVE_CAPSICUM
+static void
+enter_capsicum(int fd, bool use_mmap)
+{
+	cap_rights_t rights;
+	unsigned long cmd;
+
+	/*
+	 * We may mmap the file when we've already opened it, allow this.
+	 */
+	if (use_mmap)
+		cap_rights_init(&rights, CAP_READ, CAP_FSTAT, CAP_SEEK,
+		    CAP_MMAP);
+	else
+		cap_rights_init(&rights, CAP_READ, CAP_FSTAT, CAP_SEEK);
+	if (cap_rights_limit(fd, &rights) < 0 && errno != ENOSYS)
+		errx(1, "Unable to limit rights for stdin");
+
+	cap_rights_init(&rights, CAP_WRITE, CAP_FSTAT, CAP_IOCTL);
+	if (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS)
+		errx(1, "Unable to limit rights for stdout");
+	if (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS)
+		errx(1, "Unable to limit rights for stderr");
+
+	cmd = TIOCGETA;
+	if (cap_ioctls_limit(STDOUT_FILENO, &cmd, 1)  < 0 && errno != ENOSYS)
+		errx(1, "unable to limit ioctls for stdout");
+
+	if (cap_enter() != 0)
+		errx(1, "unable to enter capability mode");
+}
+#endif
+
 int
 handle_file(const char *name)
 {
@@ -216,12 +254,21 @@
 			return (RETURN_NOINPUT);
 		}
 	} else {
+#if	ELFTC_HAVE_CAPSICUM
+		enter_capsicum(STDIN_FILENO, false);
+#endif
+
 		return (find_strings(name, (off_t)0, (off_t)0));
 	}
 
 	fd = fileno(stdin);
 	if (fd < 0)
 		return (RETURN_NOINPUT);
+
+#if	ELFTC_HAVE_CAPSICUM
+	enter_capsicum(fd, true);
+#endif
+
 	rt = handle_elf(name, fd);
 	return (rt);
 }