freebsd stable - May 2021 - ENOTCAPABLE returned without Capsicum

I am running 13-stable from a couple of weeks ago, without Capsicum
(neither CAPABILITY_MODE nor CAPABILITIES are specified in my kernel).
Despite this, I am getting Capsicum-related errors.  As an example:
    openat(AT_FDCWD, "/")
will return ENOTCAPABLE.

Rummaging around the sources, it seems that there's a non-trivial
amount of code in kern/vfs_lookup.c that's capable of returning
capability-related errors but isn't protected by CAPABILITY_MODE.
This seems undesirable since it means that FreeBSD is defaulting to
being locked down but unless I build it with Capsicum, there's no
way to change the processes capabilities.

-- 
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20210516/d27fbf5a/attachment.sig>

On 2021-May-16 11:48:24 +1000, Peter Jeremy via freebsd-stable
<freebsd-stable at freebsd.org> wrote:
>I am running 13-stable from a couple of weeks ago, without Capsicum
>(neither CAPABILITY_MODE nor CAPABILITIES are specified in my kernel).
>Despite this, I am getting Capsicum-related errors.  As an example:
>    openat(AT_FDCWD, "/")
>will return ENOTCAPABLE.
Please ignore.  I worked out I was misreading how O_RESOLVE_BENEATH
worked.

-- 
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20210516/e5a38be7/attachment.sig>