interpret:
        if (args->fname != NULL) {
 #ifdef CAPABILITY_MODE
+#ifdef KTRACE
+               /* XXXJF ONLY CHECK AFTER FIRST EXEC */
+               if (CAP_TRACING(td))
+                       ktrcapfail(CAPFAIL_VFS, NULL, NULL);
+#endif
                /*
                 * While capability mode can't reach this point via direct
                 * path arguments to execve(), we also don't allow
                 * interpreters to be used in capability mode (for now).
                 * Catch indirect lookups and return a permissions error.
                 */
                if (IN_CAPABILITY_MODE(td)) {
                        error = ECAPMODE;
                        goto exec_fail;
                }
 #endif