diff --git a/sys/kern/kern_cpuset.c b/sys/kern/kern_cpuset.c
--- a/sys/kern/kern_cpuset.c
+++ b/sys/kern/kern_cpuset.c
@@ -1758,6 +1758,13 @@
 	return (0);
 }
 
+#define CPUSET_CAP_VIOLATE(td) do {			\
+	if (CAP_TRACING(td))				\
+		ktrcapfail(CAPFAIL_CPUSET, NULL);	\
+	if (IN_CAPABILITY_MODE(td))			\
+		return (ECAPMODE);			\
+} while (0)
+
 /*
  * In Capability mode, the only accesses that are permitted are to the current
  * thread and process' CPU and domain sets.
@@ -1766,19 +1773,19 @@
 cpuset_check_capabilities(struct thread *td, cpulevel_t level, cpuwhich_t which,
     id_t id)
 {
-	if (IN_CAPABILITY_MODE(td)) {
+	if (IN_CAPABILITY_MODE(td) || CAP_TRACING(td)) {
 		if (level != CPU_LEVEL_WHICH)
-			return (ECAPMODE);
+			CPUSET_CAP_VIOLATE(td);
 		if (which != CPU_WHICH_TID && which != CPU_WHICH_PID &&
 		    which != CPU_WHICH_TIDPID)
-			return (ECAPMODE);
+			CPUSET_CAP_VIOLATE(td);
 		if (id != -1 && which == CPU_WHICH_TIDPID &&
 		    id != td->td_tid && id != td->td_proc->p_pid)
-			return (ECAPMODE);
+			CPUSET_CAP_VIOLATE(td);
 		if (id != -1 &&
 		    !(which == CPU_WHICH_TID && id == td->td_tid) &&
 		    !(which == CPU_WHICH_PID && id == td->td_proc->p_pid))
-			return (ECAPMODE);
+			CPUSET_CAP_VIOLATE(td);
 	}
 	return (0);
 }