Index: usr.bin/cmp/cmp.c
===================================================================
--- usr.bin/cmp/cmp.c
+++ usr.bin/cmp/cmp.c
@@ -46,6 +46,7 @@
 #include <sys/capsicum.h>
 #include <sys/stat.h>
 
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -53,7 +54,6 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <termios.h>
 #include <unistd.h>
 
 #include "extern.h"
@@ -70,7 +70,6 @@
 	int ch, fd1, fd2, oflag, special;
 	const char *file1, *file2;
 	cap_rights_t rights;
-	unsigned long cmd;
 	uint32_t fcntls;
 
 	oflag = O_RDONLY;
@@ -165,20 +164,10 @@
 	if (cap_fcntls_limit(fd2, fcntls) < 0 && errno != ENOSYS)
 		err(ERR_EXIT, "unable to limit fcntls for %s", file2);
 
-	cap_rights_init(&rights, CAP_FSTAT, CAP_WRITE, CAP_IOCTL);
-	if (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS)
-		err(ERR_EXIT, "unable to limit rights for stdout");
+	if (caph_limit_stdout() == -1 || caph_limit_stderr() == -1)
+		err(ERR_EXIT, "unable to limit stdio");
 
-	/* Required for printf(3) via isatty(3). */
-	cmd = TIOCGETA;
-	if (cap_ioctls_limit(STDOUT_FILENO, &cmd, 1) < 0 && errno != ENOSYS)
-		err(ERR_EXIT, "unable to limit ioctls for stdout");
-
-	/*
-	 * Cache NLS data, for strerror, for err(3), before entering capability
-	 * mode.
-	 */
-	(void)catopen("libc", NL_CAT_LOCALE);
+	caph_cache_catpages();
 
 	if (cap_enter() < 0 && errno != ENOSYS)
 		err(ERR_EXIT, "unable to enter capability mode");
Index: usr.bin/col/col.c
===================================================================
--- usr.bin/col/col.c
+++ usr.bin/col/col.c
@@ -47,6 +47,7 @@
 
 #include <sys/capsicum.h>
 
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <errno.h>
 #include <locale.h>
@@ -135,20 +136,11 @@
 	int nflushd_lines;		/* number of lines that were flushed */
 	int adjust, opt, warned, width;
 	const char *errstr;
-	cap_rights_t rights;
-	unsigned long cmd;
 
 	(void)setlocale(LC_CTYPE, "");
 
-	cap_rights_init(&rights, CAP_FSTAT, CAP_READ);
-	if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS)
-		err(1, "unable to limit rights for stdin");
-	cap_rights_init(&rights, CAP_FSTAT, CAP_WRITE, CAP_IOCTL);
-	if (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS)
-		err(1, "unable to limit rights for stdout");
-	cmd = TIOCGETA; /* required by isatty(3) in printf(3) */
-	if (cap_ioctls_limit(STDOUT_FILENO, &cmd, 1) < 0 && errno != ENOSYS)
-		err(1, "unable to limit ioctls for stdout");
+	if (caph_limit_stdio() == -1)
+		err(1, "unable to limit stdio");
 
 	if (cap_enter() < 0 && errno != ENOSYS)
 		err(1, "unable to enter capability mode");
Index: usr.bin/elfdump/elfdump.c
===================================================================
--- usr.bin/elfdump/elfdump.c
+++ usr.bin/elfdump/elfdump.c
@@ -36,6 +36,7 @@
 #include <sys/endian.h>
 #include <sys/mman.h>
 #include <sys/stat.h>
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -44,7 +45,6 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <termios.h>
 #include <unistd.h>
 
 #define	ED_DYN		(1<<0)
@@ -505,7 +505,6 @@
 	u_int64_t name;
 	u_int64_t type;
 	struct stat sb;
-	unsigned long cmd;
 	u_int flags;
 	Elf32_Ehdr *e;
 	void *p;
@@ -573,14 +572,8 @@
 	cap_rights_init(&rights, CAP_MMAP_R);
 	if (cap_rights_limit(fd, &rights) < 0 && errno != ENOSYS)
 		err(1, "unable to limit rights for %s", *av);
-	cap_rights_limit(STDIN_FILENO, cap_rights_init(&rights));
-	cap_rights_init(&rights, CAP_FSTAT, CAP_IOCTL, CAP_WRITE);
-	cmd = TIOCGETA; /* required by isatty(3) in printf(3) */
-	if ((cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS) ||
-	    (cap_ioctls_limit(STDOUT_FILENO, &cmd, 1) < 0 && errno != ENOSYS) ||
-	    (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS) ||
-	    (cap_ioctls_limit(STDERR_FILENO, &cmd, 1) < 0 && errno != ENOSYS))
-		err(1, "unable to limit rights for stdout/stderr");
+	if (caph_limit_stdio() == -1)
+		err(1, "unable to limit rights for stdio");
 	if (cap_enter() < 0 && errno != ENOSYS)
 		err(1, "unable to enter capability mode");
 	e = mmap(NULL, sb.st_size, PROT_READ, MAP_SHARED, fd, 0);
Index: usr.bin/kdump/kdump.c
===================================================================
--- usr.bin/kdump/kdump.c
+++ usr.bin/kdump/kdump.c
@@ -62,6 +62,7 @@
 #include <arpa/inet.h>
 #include <netinet/in.h>
 #include <ctype.h>
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <grp.h>
 #include <inttypes.h>
@@ -74,7 +75,6 @@
 #include <stdlib.h>
 #include <string.h>
 #include <sysdecode.h>
-#include <termios.h>
 #include <time.h>
 #include <unistd.h>
 #include <vis.h>
@@ -110,7 +110,6 @@
 void ktrcapfail(struct ktr_cap_fail *);
 void ktrfault(struct ktr_fault *);
 void ktrfaultend(struct ktr_faultend *);
-void limitfd(int fd);
 void usage(void);
 
 #define	TIMESTAMP_NONE		0x0
@@ -337,9 +336,8 @@
 			err(1, "unable to enter capability mode");
 	}
 #endif
-	limitfd(STDIN_FILENO);
-	limitfd(STDOUT_FILENO);
-	limitfd(STDERR_FILENO);
+	if (caph_limit_stdio() == -1)
+		err(1, "unable to limit stdio");
 
 	TAILQ_INIT(&trace_procs);
 	drop_logged = 0;
@@ -432,40 +430,6 @@
 	return 0;
 }
 
-void
-limitfd(int fd)
-{
-	cap_rights_t rights;
-	unsigned long cmd;
-
-	cap_rights_init(&rights, CAP_FSTAT);
-	cmd = 0;
-
-	switch (fd) {
-	case STDIN_FILENO:
-		cap_rights_set(&rights, CAP_READ);
-		break;
-	case STDOUT_FILENO:
-		cap_rights_set(&rights, CAP_IOCTL, CAP_WRITE);
-		cmd = TIOCGETA;	/* required by isatty(3) in printf(3) */
-		break;
-	case STDERR_FILENO:
-		cap_rights_set(&rights, CAP_WRITE);
-		if (!suppressdata) {
-			cap_rights_set(&rights, CAP_IOCTL);
-			cmd = TIOCGWINSZ;
-		}
-		break;
-	default:
-		abort();
-	}
-
-	if (cap_rights_limit(fd, &rights) < 0 && errno != ENOSYS)
-		err(1, "unable to limit rights for descriptor %d", fd);
-	if (cmd != 0 && cap_ioctls_limit(fd, &cmd, 1) < 0 && errno != ENOSYS)
-		err(1, "unable to limit ioctls for descriptor %d", fd);
-}
-
 int
 fread_tail(void *buf, int size, int num)
 {
Index: usr.bin/tee/tee.c
===================================================================
--- usr.bin/tee/tee.c
+++ usr.bin/tee/tee.c
@@ -45,6 +45,7 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 
+#include <capsicum_helpers.h>
 #include <err.h>
 #include <errno.h>
 #include <fcntl.h>
@@ -52,7 +53,6 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <termios.h>
 #include <unistd.h>
 
 typedef struct _list {
@@ -73,8 +73,6 @@
 	char *bp;
 	int append, ch, exitval;
 	char *buf;
-	cap_rights_t rights;
-	unsigned long cmd;
 #define	BSIZE (8 * 1024)
 
 	append = 0;
@@ -96,15 +94,8 @@
 	if ((buf = malloc(BSIZE)) == NULL)
 		err(1, "malloc");
 
-	cap_rights_init(&rights, CAP_READ, CAP_FSTAT);
-	if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS)
-		err(EXIT_FAILURE, "unable to limit rights for stdin");
-	cap_rights_init(&rights, CAP_WRITE, CAP_FSTAT, CAP_IOCTL);
-	if (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS)
-		err(EXIT_FAILURE, "unable to limit rights for stderr");
-	cmd = TIOCGETA;
-	if (cap_ioctls_limit(STDERR_FILENO, &cmd, 1) < 0 && errno != ENOSYS)
-		err(EXIT_FAILURE, "unable to limit ioctls for stderr");
+	if (caph_limit_stdin() == -1 || caph_limit_stderr() == -1)
+		err(EXIT_FAILURE, "unable to limit stdout");
 
 	add(STDOUT_FILENO, "stdout");
 
@@ -148,19 +139,14 @@
 {
 	LIST *p;
 	cap_rights_t rights;
-	unsigned long cmd;
-
-	if (fd == STDOUT_FILENO)
-		cap_rights_init(&rights, CAP_WRITE, CAP_FSTAT, CAP_IOCTL);
-	else
-		cap_rights_init(&rights, CAP_WRITE, CAP_FSTAT);
-	if (cap_rights_limit(fd, &rights) < 0 && errno != ENOSYS)
-		err(EXIT_FAILURE, "unable to limit rights");
 
 	if (fd == STDOUT_FILENO) {
-		cmd = TIOCGETA;
-		if (cap_ioctls_limit(fd, &cmd, 1) < 0 && errno != ENOSYS)
-			err(EXIT_FAILURE, "unable to limit ioctls for stdout");
+		if (caph_limit_stdout() == -1)
+			err(EXIT_FAILURE, "unable to limit stdout");
+	} else {
+		cap_rights_init(&rights, CAP_WRITE, CAP_FSTAT);
+		if (cap_rights_limit(fd, &rights) < 0 && errno != ENOSYS)
+			err(EXIT_FAILURE, "unable to limit rights");
 	}
 
 	if ((p = malloc(sizeof(LIST))) == NULL)
Index: usr.bin/tr/tr.c
===================================================================
--- usr.bin/tr/tr.c
+++ usr.bin/tr/tr.c
@@ -44,16 +44,15 @@
 #include <sys/types.h>
 #include <sys/capsicum.h>
 
+#include <capsicum_helpers.h>
 #include <ctype.h>
 #include <err.h>
-#include <errno.h>
 #include <limits.h>
 #include <locale.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <termios.h>
 #include <unistd.h>
 #include <wchar.h>
 #include <wctype.h>
@@ -72,8 +71,6 @@
 main(int argc, char **argv)
 {
 	static int carray[NCHARS_SB];
-	cap_rights_t rights;
-	unsigned long cmd;
 	struct cmap *map;
 	struct cset *delete, *squeeze;
 	int n, *p;
@@ -82,23 +79,8 @@
 
 	(void)setlocale(LC_ALL, "");
 
-	cap_rights_init(&rights, CAP_FSTAT, CAP_IOCTL, CAP_READ);
-	if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS)
-		err(1, "unable to limit rights for stdin");
-	cap_rights_init(&rights, CAP_FSTAT, CAP_IOCTL, CAP_WRITE);
-	if (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS)
-		err(1, "unable to limit rights for stdout");
-	if (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS)
-		err(1, "unable to limit rights for stderr");
-
-	/* Required for isatty(3). */
-	cmd = TIOCGETA;
-	if (cap_ioctls_limit(STDIN_FILENO, &cmd, 1) < 0 && errno != ENOSYS)
-		err(1, "unable to limit ioctls for stdin");
-	if (cap_ioctls_limit(STDOUT_FILENO, &cmd, 1) < 0 && errno != ENOSYS)
-		err(1, "unable to limit ioctls for stdout");
-	if (cap_ioctls_limit(STDERR_FILENO, &cmd, 1) < 0 && errno != ENOSYS)
-		err(1, "unable to limit ioctls for stderr");
+	if (caph_limit_stdio() == -1)
+		err(1, "unable to limit stdio");
 
 	if (cap_enter() < 0 && errno != ENOSYS)
 		err(1, "unable to enter capability mode");