--- //depot/user/pjd/capkern/sys/kern/vfs_syscalls.c	2013-02-17 12:20:02.000000000 0000
+++ /usr/home/pjd/p4/capkern/sys/kern/vfs_syscalls.c	2013-02-17 12:20:02.000000000 0000
@@ -3486,92 +3486,99 @@
 	    UIO_USERSPACE));
 }
 
 int
 kern_rename(struct thread *td, char *from, char *to, enum uio_seg pathseg)
 {
 
 	return (kern_renameat(td, AT_FDCWD, from, AT_FDCWD, to, pathseg));
 }
 
 int
 kern_renameat(struct thread *td, int oldfd, char *old, int newfd, char *new,
     enum uio_seg pathseg)
 {
 	struct mount *mp = NULL;
 	struct vnode *tvp, *fvp, *tdvp;
 	struct nameidata fromnd, tond;
 	int error;
 
 	bwillwrite();
 #ifdef MAC
 	NDINIT_ATRIGHTS(&fromnd, DELETE, LOCKPARENT | LOCKLEAF | SAVESTART |
-	    AUDITVNODE1, pathseg, old, oldfd, CAP_UNLINKAT, td);
+	    AUDITVNODE1, pathseg, old, oldfd, CAP_RENAMEAT, td);
 #else
 	NDINIT_ATRIGHTS(&fromnd, DELETE, WANTPARENT | SAVESTART | AUDITVNODE1,
-	    pathseg, old, oldfd, CAP_UNLINKAT, td);
+	    pathseg, old, oldfd, CAP_RENAMEAT, td);
 #endif
 
 	if ((error = namei(&fromnd)) != 0)
 		return (error);
 #ifdef MAC
 	error = mac_vnode_check_rename_from(td->td_ucred, fromnd.ni_dvp,
 	    fromnd.ni_vp, &fromnd.ni_cnd);
 	VOP_UNLOCK(fromnd.ni_dvp, 0);
 	if (fromnd.ni_dvp != fromnd.ni_vp)
 		VOP_UNLOCK(fromnd.ni_vp, 0);
 #endif
 	fvp = fromnd.ni_vp;
 	if (error == 0)
 		error = vn_start_write(fvp, &mp, V_WAIT | PCATCH);
 	if (error != 0) {
 		NDFREE(&fromnd, NDF_ONLY_PNBUF);
 		vrele(fromnd.ni_dvp);
 		vrele(fvp);
 		goto out1;
 	}
 	NDINIT_ATRIGHTS(&tond, RENAME, LOCKPARENT | LOCKLEAF | NOCACHE |
 	    SAVESTART | AUDITVNODE2, pathseg, new, newfd, CAP_LINKAT, td);
 	if (fromnd.ni_vp->v_type == VDIR)
 		tond.ni_cnd.cn_flags |= WILLBEDIR;
 	if ((error = namei(&tond)) != 0) {
 		/* Translate error code for rename("dir1", "dir2/."). */
 		if (error == EISDIR && fvp->v_type == VDIR)
 			error = EINVAL;
 		NDFREE(&fromnd, NDF_ONLY_PNBUF);
 		vrele(fromnd.ni_dvp);
 		vrele(fvp);
 		vn_finished_write(mp);
 		goto out1;
 	}
 	tdvp = tond.ni_dvp;
 	tvp = tond.ni_vp;
 	if (tvp != NULL) {
 		if (fvp->v_type == VDIR && tvp->v_type != VDIR) {
 			error = ENOTDIR;
 			goto out;
 		} else if (fvp->v_type != VDIR && tvp->v_type == VDIR) {
 			error = EISDIR;
 			goto out;
 		}
+		/*
+		 * If the target already exists we require CAP_UNLINKAT
+		 * from 'newfd'.
+		 */
+		error = cap_check(tond.ni_filecaps.fc_rights, CAP_UNLINKAT);
+		if (error != 0)
+			goto out;
 	}
 	if (fvp == tdvp) {
 		error = EINVAL;
 		goto out;
 	}
 	/*
 	 * If the source is the same as the destination (that is, if they
 	 * are links to the same vnode), then there is nothing to do.
 	 */
 	if (fvp == tvp)
 		error = -1;
 #ifdef MAC
 	else
 		error = mac_vnode_check_rename_to(td->td_ucred, tdvp,
 		    tond.ni_vp, fromnd.ni_dvp == tdvp, &tond.ni_cnd);
 #endif
 out:
 	if (!error) {
 		error = VOP_RENAME(fromnd.ni_dvp, fromnd.ni_vp, &fromnd.ni_cnd,
 				   tond.ni_dvp, tond.ni_vp, &tond.ni_cnd);
 		NDFREE(&fromnd, NDF_ONLY_PNBUF);
 		NDFREE(&tond, NDF_ONLY_PNBUF);
--- //depot/user/pjd/capkern/sys/sys/capability.h	2013-02-15 15:52:49.000000000 0000
+++ /usr/home/pjd/p4/capkern/sys/sys/capability.h	2013-02-15 15:52:49.000000000 0000
@@ -119,6 +119,7 @@
 #define	CAP_MKDIRAT		0x0000000000200000ULL
 #define	CAP_MKFIFOAT		0x0000000000800000ULL
 #define	CAP_MKNODAT		0x0080000000000000ULL
+#define	CAP_RENAMEAT		0x0200000000000000ULL
 #define	CAP_SYMLINKAT		0x0100000000000000ULL
 #define	CAP_UNLINKAT		0x0000000000100000ULL
 
@@ -182,7 +183,7 @@
 #define	CAP_PDKILL		0x0040000000000000ULL
 
 /* The mask of all valid method rights. */
-#define	CAP_MASK_VALID		0x01ffffffffffffffULL
+#define	CAP_MASK_VALID		0x03ffffffffffffffULL
 #define	CAP_ALL			CAP_MASK_VALID
 
 /*