diff --git a/fs/namespace.c b/fs/namespace.c
index b682a044cf0e169f2a1b9ee47836fefdb31e6e31..e4226bc31e6bb7204c4b4634e85e7a697dab3304 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1897,6 +1897,11 @@ struct vfsmount *clone_private_mount(const struct path *path)
 	if (!check_mnt(old_mnt))
 		goto invalid;
 
+	if (!ns_capable(old_mnt->mnt_ns->user_ns, CAP_SYS_ADMIN)) {
+		up_read(&namespace_sem);
+		return ERR_PTR(-EPERM);
+	}
+
 	if (has_locked_children(old_mnt, path->dentry))
 		goto invalid;