- Move reporting of inability to open raw socket before trying to use it.
- Like with other programs report to stderr if we successfully entered
  capability mode.
- Remove redundant empty lines.

--- //depot/user/pjd/capsicum/sbin/ping/ping.c	2013-12-16 23:30:33.000000000 0000
+++ /usr/home/pjd/p4/capsicum/sbin/ping/ping.c	2013-12-16 23:30:33.000000000 0000
@@ -247,7 +247,6 @@
 #ifdef IPSEC_POLICY_IPSEC
 	policy_in = policy_out = NULL;
 #endif
-
 	cap_rights_t rights;
 
 	/*
@@ -576,6 +575,11 @@
 		hostname = hnamebuf;
 	}
 
+	if (s < 0) {
+		errno = sockerrno;
+		err(EX_OSERR, "socket");
+	}
+
 	if (connect(s, (struct sockaddr *)&whereto, sizeof(whereto)) != 0)
 		err(1, "connect");
 
@@ -584,10 +588,12 @@
 	 * creation of new file descriptors is forbidden.
 	 * We must connect(2) our socket before this point.
 	 */
-
 	if (cap_enter() < 0 && errno != ENOSYS)
 		err(1, "cap_enter");
 
+	if (cap_sandboxed())
+		fprintf(stderr, "capability mode sandbox enabled\n");
+
 	cap_rights_init(&rights, CAP_RECV, CAP_SEND, CAP_EVENT, CAP_SETSOCKOPT);
 	if (cap_rights_limit(s, &rights) < 0 && errno != ENOSYS)
 		err(1, "cap_rights_limit socket");
@@ -612,10 +618,6 @@
 
 	ident = getpid() & 0xFFFF;
 
-	if (s < 0) {
-		errno = sockerrno;
-		err(EX_OSERR, "socket");
-	}
 	hold = 1;
 	if (options & F_SO_DEBUG)
 		(void)setsockopt(s, SOL_SOCKET, SO_DEBUG, (char *)&hold,
@@ -1008,7 +1010,6 @@
 		ip->ip_sum = in_cksum((u_short *)outpackhdr, cc);
 		packet = outpackhdr;
 	}
-
 	i = send(s, (char *)packet, cc, 0);
 	if (i < 0 || i != cc)  {
 		if (i < 0) {