+@@ -482,7 +484,7 @@ struct super_block *sget_userns(struct f
+
+ if (!(flags & (MS_KERNMOUNT|MS_SUBMOUNT)) &&
+ !(type->fs_flags & FS_USERNS_MOUNT) &&
+- !capable(CAP_SYS_ADMIN))
++ !vx_capable(CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
+ return ERR_PTR(-EPERM);
+ retry:
+ spin_lock(&sb_lock);
+@@ -563,7 +565,8 @@ struct super_block *sget(struct file_sys
+ user_ns = &init_user_ns;
+
+ /* Ensure the requestor has permissions over the target filesystem */
+- if (!(flags & (MS_KERNMOUNT|MS_SUBMOUNT)) && !ns_capable(user_ns, CAP_SYS_ADMIN))
++ if (!(flags & (MS_KERNMOUNT|MS_SUBMOUNT)) &&
++ !vx_ns_capable(user_ns, CAP_SYS_ADMIN, VXC_SECURE_MOUNT))
+ return ERR_PTR(-EPERM);
+
+ return sget_userns(type, test, set, flags, user_ns, data);
+@@ -995,7 +998,8 @@ struct dentry *mount_ns(struct file_syst