diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 2ddb4226cd2311..e331a8b29ac34f 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -418,7 +418,11 @@ struct vfs_ns_cap_data {
 
 #define CAP_CHECKPOINT_RESTORE	40
 
-#define CAP_LAST_CAP         CAP_CHECKPOINT_RESTORE
+/* Allow performing the elevate syscall and make use of symbiote functionality */
+
+#define CAP_SYMBI_ELEV  41
+
+#define CAP_LAST_CAP         CAP_SYMBI_ELEV
 
 #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
 
diff --git a/kernel/sys.c b/kernel/sys.c
index f2a260990b2510..7ece9e167537c6 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1095,6 +1095,9 @@ SYSCALL_DEFINE1(elevate, unsigned long, flags)
   struct SymbiReg sreg;
   sreg.raw = flags;
 
+  if (!capable(CAP_SYMBI_ELEV))
+	return -EPERM;
+
   // User's registers
   regs = (struct pt_regs *)this_cpu_read(cpu_current_top_of_stack) - 1;
 
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 62d19bccf3de1f..9d9a9f1b193985 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -28,9 +28,9 @@
 
 #define COMMON_CAP2_PERMS  "mac_override", "mac_admin", "syslog", \
 		"wake_alarm", "block_suspend", "audit_read", "perfmon", "bpf", \
-		"checkpoint_restore"
+		"checkpoint_restore", "symbi_elev"
 
-#if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE
+#if CAP_LAST_CAP > CAP_SYMBI_ELEV
 #error New capability defined, please update COMMON_CAP2_PERMS.
 #endif