1 files changed, 5 insertions, 0 deletions

diff --git a/fs/namespace.c b/fs/namespace.c
index b5c5cf01d0c4..bb1560b0d25c 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2263,6 +2263,11 @@ struct vfsmount *clone_private_mount(const struct path *path)
 	if (!check_mnt(old_mnt))
 		goto invalid;
 
+	if (!ns_capable(old_mnt->mnt_ns->user_ns, CAP_SYS_ADMIN)) {
+		up_read(&namespace_sem);
+		return ERR_PTR(-EPERM);
+	}
+
 	if (has_locked_children(old_mnt, path->dentry))
 		goto invalid;