diff --git a/net/core/sock.c b/net/core/sock.c
index be20a1af20e5..6b287eb5427b 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1315,6 +1315,12 @@ int sock_setsockopt(struct socket *sock, int level, int optname,
 		__sock_set_mark(sk, val);
 		break;
 	case SO_RCVMARK:
+		if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) &&
+		    !ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
+			ret = -EPERM;
+			break;
+		}
+
 		sock_valbool_flag(sk, SOCK_RCVMARK, valbool);
 		break;