diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index 00cd8095d3461702bc997ff4efad7484a02cc364..b7959de25a5f0ef17f198b648d2e7e1eb223951a 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -637,12 +637,16 @@ static const struct file_operations ima_data_upload_ops = {
 static int ima_open_for_children(struct inode *inode, struct file *file)
 {
 	struct ima_namespace *ima_ns = get_current_ns();
+	struct ima_namespace *ima_ns_for_children = current->nsproxy->ima_ns_for_children;
 
 	/* Allow to set children configuration only after unshare() */
 	if (ima_ns == current->nsproxy->ima_ns_for_children)
 		return -EPERM;
 
-	return ima_open_simple(inode, file);
+	if (!ns_capable(ima_ns_for_children->user_ns, CAP_SYS_ADMIN))
+		return -EPERM;
+
+	return 0;
 }
 
 static ssize_t ima_write_x509_for_children(struct file *file,