commit fc3c19a9fceeea48a9259ac3833a125804342c0e
Author: Ed Maste <emaste@FreeBSD.org>
Date:   Sat Oct 6 21:32:55 2018 +0000

    sshd: address capsicum issues
    
    * Add a wrapper to proxy login_getpwclass(3) as it is not allowed in
      capability mode.
    * Cache timezone data via caph_cache_tzdata() as we cannot access the
      timezone file.
    * Reverse resolve hostname before entering capability mode.
    
    PR:             231172
    Submitted by:   naito.yuichiro@gmail.com
    Reviewed by:    cem, des
    Approved by:    re (rgrimes)
    MFC after:      3 weeks
    Differential Revision:  https://reviews.freebsd.org/D17128

Notes:
    svn path=/head/; revision=339216

diff --git crypto/openssh/sandbox-capsicum.c crypto/openssh/sandbox-capsicum.c
index 5f41d526292b..f728abd18250 100644
--- sandbox-capsicum.c
+++ sandbox-capsicum.c
@@ -31,6 +31,7 @@ __RCSID("$FreeBSD$");
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#include <capsicum_helpers.h>
 
 #include "log.h"
 #include "monitor.h"
@@ -71,6 +72,8 @@ ssh_sandbox_child(struct ssh_sandbox *box)
 	struct rlimit rl_zero;
 	cap_rights_t rights;
 
+	caph_cache_tzdata();
+
 	rl_zero.rlim_cur = rl_zero.rlim_max = 0;
 
 	if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)