Index: contrib/tcpdump/tcpdump.c
===================================================================
--- contrib/tcpdump/tcpdump.c	(revision 271281)
+++ contrib/tcpdump/tcpdump.c	(working copy)
@@ -1566,11 +1566,15 @@
 		if (p == NULL)
 			error("%s", pcap_geterr(pd));
 #ifdef __FreeBSD__
-		cap_rights_init(&rights, CAP_SEEK, CAP_WRITE);
+		cap_rights_init(&rights, CAP_SEEK, CAP_FCNTL, CAP_WRITE);
 		if (cap_rights_limit(fileno(pcap_dump_file(p)), &rights) < 0 &&
 		    errno != ENOSYS) {
 			error("unable to limit dump descriptor");
 		}
+		if (cap_fcntls_limit(fileno(pcap_dump_file(p)), CAP_FCNTL_GETFL) < 0 &&
+		    errno != ENOSYS) {
+			error("unable to limit dump descriptor fcntls");
+		}
 #endif
 		if (Cflag != 0 || Gflag != 0) {
 #ifdef __FreeBSD__
@@ -1994,11 +1998,15 @@
 			if (dump_info->p == NULL)
 				error("%s", pcap_geterr(pd));
 #ifdef __FreeBSD__
-			cap_rights_init(&rights, CAP_SEEK, CAP_WRITE);
+			cap_rights_init(&rights, CAP_SEEK, CAP_FCNTL, CAP_WRITE);
 			if (cap_rights_limit(fileno(pcap_dump_file(dump_info->p)),
 			    &rights) < 0 && errno != ENOSYS) {
 				error("unable to limit dump descriptor");
 			}
+			if (cap_fcntls_limit(fileno(pcap_dump_file(dump_info->p)),
+			    CAP_FCNTL_GETFL) < 0 && errno != ENOSYS) {
+				error("unable to limit dump descriptor fcntls");
+			}
 #endif
 		}
 	}
@@ -2055,11 +2063,15 @@
 		if (dump_info->p == NULL)
 			error("%s", pcap_geterr(pd));
 #ifdef __FreeBSD__
-		cap_rights_init(&rights, CAP_SEEK, CAP_WRITE);
+		cap_rights_init(&rights, CAP_SEEK, CAP_FCNTL, CAP_WRITE);
 		if (cap_rights_limit(fileno(pcap_dump_file(dump_info->p)),
 		    &rights) < 0 && errno != ENOSYS) {
 			error("unable to limit dump descriptor");
 		}
+		if (cap_fcntls_limit(fileno(pcap_dump_file(dump_info->p)),
+		    CAP_FCNTL_GETFL) < 0 && errno != ENOSYS) {
+			error("unable to limit dump descriptor fcntls");
+		}
 #endif
 	}
 
Index: sbin/dhclient/dhclient.c
===================================================================
--- sbin/dhclient/dhclient.c	(revision 271281)
+++ sbin/dhclient/dhclient.c	(working copy)
@@ -1846,11 +1846,15 @@
 		if (!leaseFile)
 			error("can't create %s: %m", path_dhclient_db);
 		cap_rights_init(&rights, CAP_FSTAT, CAP_FSYNC, CAP_FTRUNCATE,
-		    CAP_SEEK, CAP_WRITE);
+		    CAP_SEEK, CAP_FCNTL, CAP_WRITE);
 		if (cap_rights_limit(fileno(leaseFile), &rights) < 0 &&
 		    errno != ENOSYS) {
 			error("can't limit lease descriptor: %m");
 		}
+		if (cap_fcntls_limit(fileno(leaseFile), CAP_FCNTL_GETFL) < 0 &&
+		    errno != ENOSYS) {
+			error("can't limit lease descriptor fcntls: %m");
+		}
 	} else {
 		fflush(leaseFile);
 		rewind(leaseFile);