From 3e4e6e07ece0c1a739388e6b6a3dc61c8e17173a Mon Sep 17 00:00:00 2001
From: oshogbo <oshogbo@FreeBSD.org>
Date: Wed, 1 May 2019 06:59:04 +0000
Subject: [PATCH] MFC r346263:   tcpdump: disable Capsicum if -E option is
 provided.

  The -E is used to provide a secret for decrypting IPsec.
  The secret may be provided through command line or as the file.
  The problem is that tcpdump doesn't support yet opening files in capability mode
  and the file may contain a list of the files to open.

  As a workaround, for now, let's just disable capsicum if the -E
  the option is provided.

  PR:           236819
  MFC after:    2 weeks
---
 contrib/tcpdump/tcpdump.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/contrib/tcpdump/tcpdump.c b/contrib/tcpdump/tcpdump.c
index d24fe0fcae6..c770e51e470 100644
--- a/contrib/tcpdump/tcpdump.c
+++ b/contrib/tcpdump/tcpdump.c
@@ -2063,7 +2063,8 @@ main(int argc, char **argv)
 	}
 
 #ifdef HAVE_CAPSICUM
-	cansandbox = (VFileName == NULL && zflag == NULL);
+	cansandbox = (VFileName == NULL && zflag == NULL &&
+	    ndo->ndo_espsecret == NULL);
 #ifdef HAVE_CASPER
 	cansandbox = (cansandbox && (ndo->ndo_nflag || capdns != NULL));
 #else
-- 
2.45.0