diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 1385de0fa0809828dd4467386c902ef2e718dcae..b237959c74975037437f1606ab0027d49b183c4d 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2122,6 +2122,10 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh)
 		if (IS_ERR(dest_net))
 			return PTR_ERR(dest_net);
 
+		err = -EPERM;
+		if (!netlink_ns_capable(skb, dest_net->user_ns, CAP_NET_ADMIN))
+			goto out;
+
 		if (tb[IFLA_LINK_NETNSID]) {
 			int id = nla_get_s32(tb[IFLA_LINK_NETNSID]);