diff --git a/security/commoncap.c b/security/commoncap.c
index feb6044f701d0d313fd7fa8a8fbbc451fe45958d..cbb203c914062449fdef4862a2c2b34f13701d9b 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -548,7 +548,8 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
 
 	if ((is_setid ||
 	     !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
-	    bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
+	    ((bprm->unsafe & ~(LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) ||
+	     !ptracer_capable(current, new->user_ns))) {
 		/* downgrade; they get no more than they had, and maybe less */
 		if (!ns_capable(new->user_ns, CAP_SETUID) ||
 		    (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {