--- Makefile.orig	2014-07-07 14:23:50 UTC
+++ Makefile
@@ -15,12 +15,14 @@ LIBOBJS = kcgi.o \
 	  compat-strtonum.o \
 	  input.o \
 	  sandbox.o \
+	  sandbox-capsicum.o \
 	  sandbox-darwin.o \
 	  sandbox-systrace.o \
 	  wrappers.o
 TESTS = test-memmem.c \
 	test-reallocarray.c \
 	test-sandbox_init.c \
+	test-capsicum.c \
 	test-strlcat.c \
 	test-strlcpy.c \
 	test-strtonum.c \
@@ -37,6 +39,7 @@ SRCS = compat-memmem.c \
        kcgi.h \
        sample.c \
        sandbox.c \
+       sandbox-capsicum.c \
        sandbox-darwin.c \
        sandbox-systrace.c \
        wrappers.c \
@@ -67,14 +70,14 @@ installcgi: sample 
 install: libkcgi.a
 	sed -e "s!@VERSION@!$(VERSION)!g" -e "s!@DATADIR@!$(DATADIR)!g" kcgi.h >kcgi.h~
 	sed -e "s!@VERSION@!$(VERSION)!g" -e "s!@DATADIR@!$(DATADIR)!g" kcgi.3 >kcgi.3~
-	mkdir -p $(LIBDIR)
-	mkdir -p $(INCLUDEDIR)
-	mkdir -p $(DATADIR)
-	mkdir -p $(MANDIR)
-	install -m 0444 libkcgi.a $(LIBDIR)
-	install -m 0444 kcgi.h~ $(INCLUDEDIR)/kcgi.h
-	install -m 0444 kcgi.3~ $(MANDIR)/kcgi.3
-	install -m 0444 template.xml sample.c $(DATADIR)
+	mkdir -p $(DESTDIR)$(LIBDIR)
+	mkdir -p $(DESTDIR)$(INCLUDEDIR)
+	mkdir -p $(DESTDIR)$(DATADIR)
+	mkdir -p $(DESTDIR)$(MANDIR)
+	install -m 0444 libkcgi.a $(DESTDIR)$(LIBDIR)
+	install -m 0444 kcgi.h~ $(DESTDIR)$(INCLUDEDIR)/kcgi.h
+	install -m 0444 kcgi.3~ $(DESTDIR)$(MANDIR)/kcgi.3
+	install -m 0444 template.xml sample.c $(DESTDIR)$(DATADIR)
 	rm -f kcgi.h~ kcgi.3~
 
 sample: sample.o libkcgi.a
@@ -115,4 +118,5 @@ clean:
 	rm -f test-strtonum test-strtonum.o
 	rm -f test-systrace test-systrace.o
 	rm -f test-zlib test-zlib.o 
+	rm -f test-capsicum test-capsicum.o
 	rm -rf *.dSYM
--- configure.orig	2014-07-07 14:23:50 UTC
+++ configure
@@ -34,6 +34,7 @@ runtest reallocarray REALLOCARRAY ""
 runtest sandbox_init SANDBOX_INIT ""
 runtest systrace SYSTRACE ""
 runtest zlib ZLIB "-lz"
+runtest capsicum CAPSICUM ""
 cat config.h.post
 
 exit 0
--- extern.h.orig	2014-07-07 14:23:50 UTC
+++ extern.h
@@ -26,9 +26,12 @@ void	 khttp_input_child(int fd, const st
 void	 ksandbox_free(void *arg);
 void	*ksandbox_alloc(void);
 void	 ksandbox_close(void *arg, pid_t pid);
-void	 ksandbox_init_child(void *arg);
+void	 ksandbox_init_child(void *arg, int fd);
 void	 ksandbox_init_parent(void *arg, pid_t pid);
 
+#ifdef HAVE_CAPSICUM
+int	 ksandbox_capsicum_init_child(void *arg, int fd);
+#endif
 #ifdef HAVE_SANDBOX_INIT
 int	 ksandbox_darwin_init_child(void *arg);
 #endif
--- sandbox-capsicum.c.orig	2014-11-21 10:10:38 UTC
+++ sandbox-capsicum.c
@@ -0,0 +1,76 @@
+/*	$Id: sandbox-darwin.c,v 1.2 2014/05/24 20:01:47 kristaps Exp $ */
+/*
+ * Copyright (c) 2012, 2014 Kristaps Dzonsons <kristaps@bsd.lv>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif
+
+#ifdef HAVE_CAPSICUM
+
+#include <sys/resource.h>
+#include <sys/capability.h>
+
+#include <unistd.h>
+#include <errno.h>
+#include <stdarg.h>
+
+#include "kcgi.h"
+#include "extern.h"
+
+int
+ksandbox_capsicum_init_child(void *arg, int fd)
+{
+	int rc;
+	struct rlimit	 rl_zero;
+	cap_rights_t	 rights;
+
+	cap_rights_init(&rights);
+
+	if (cap_rights_limit(STDIN_FILENO, &rights) < 0 && errno != ENOSYS)
+		XWARN("cap_rights_limit: STDIN_FILENO");
+
+	cap_rights_init(&rights, CAP_WRITE);
+	if (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS)
+		XWARN("cap_rights_limit: STDOUT_FILENO");
+	if (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS)
+		XWARN("cap_rights_limit: STDERR_FILENO");
+
+	cap_rights_init(&rights, CAP_READ);
+	if (cap_rights_limit(fd, &rights) < 0 && errno != ENOSYS)
+		XWARN("cap_rights_limit: internal socket");
+
+	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
+
+	if (-1 == setrlimit(RLIMIT_NOFILE, &rl_zero))
+		XWARNX("setrlimit: rlimit_fsize");
+	if (-1 == setrlimit(RLIMIT_FSIZE, &rl_zero))
+		XWARNX("setrlimit: rlimit_fsize");
+	if (-1 == setrlimit(RLIMIT_NPROC, &rl_zero))
+		XWARNX("setrlimit: rlimit_nproc");
+
+	rc = cap_enter();
+	if (0 != rc && errno != ENOSYS) {
+		XWARN("cap_enter");
+		rc = 0;
+	} else
+		rc = 1;
+
+	return(rc);
+}
+
+#else
+int dummy;
+#endif
--- sandbox.c.orig	2014-07-07 14:23:50 UTC
+++ sandbox.c
@@ -120,10 +120,13 @@ ksandbox_close(void *arg, pid_t pid)
  * child context is sandboxed properly.
  */
 void
-ksandbox_init_child(void *arg)
+ksandbox_init_child(void *arg, int fd __unused)
 {
 
-#if defined(HAVE_SANDBOX_INIT)
+#if defined(HAVE_CAPSICUM)
+	if ( ! ksandbox_capsicum_init_child(arg, fd))
+		XWARNX("capsicum sandbox failed (child)");
+#elif defined(HAVE_SANDBOX_INIT)
 	if ( ! ksandbox_darwin_init_child(arg))
 		XWARNX("darwin sandbox failed (child)");
 #elif defined(HAVE_SYSTRACE)
--- test-capsicum.c.orig	2014-11-21 10:10:38 UTC
+++ test-capsicum.c
@@ -0,0 +1,8 @@
+#include <sys/capability.h>
+
+int
+main(void)
+{
+	cap_enter();
+	return(0);
+}