diff --git a/fs/namespace.c b/fs/namespace.c
index cebcb9fa2acc..6a9c53c800c4 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2110,6 +2110,11 @@ struct vfsmount *clone_private_mount(const struct path *path)
 	if (!check_mnt(old_mnt))
 		goto invalid;
 
+	if (!ns_capable(old_mnt->mnt_ns->user_ns, CAP_SYS_ADMIN)) {
+		up_read(&namespace_sem);
+		return ERR_PTR(-EPERM);
+	}
+
 	if (has_locked_children(old_mnt, path->dentry))
 		goto invalid;