diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -1220,6 +1220,7 @@
 {
 	struct socket *so;
 	struct file *fp;
+	struct filecaps fcaps;
 	struct sockopt sopt;
 	int error;
 
@@ -1245,8 +1246,10 @@
 	}
 
 	AUDIT_ARG_FD(s);
-	error = getsock(td, s, &cap_setsockopt_rights, &fp);
+	error = getsock_cap(td, s, &cap_setsockopt_rights, &fp,
+	    &fcaps);
 	if (error == 0) {
+		sopt.sopt_rights = &fcaps.fc_rights;
 		so = fp->f_data;
 		error = sosetopt(so, &sopt);
 		fdrop(fp, td);
@@ -1284,6 +1287,7 @@
 {
 	struct socket *so;
 	struct file *fp;
+	struct filecaps fcaps;
 	struct sockopt sopt;
 	int error;
 
@@ -1309,8 +1313,9 @@
 	}
 
 	AUDIT_ARG_FD(s);
-	error = getsock(td, s, &cap_getsockopt_rights, &fp);
+	error = getsock_cap(td, s, &cap_getsockopt_rights, &fp, &fcaps);
 	if (error == 0) {
+		sopt.sopt_rights = &fcaps.fc_rights;
 		so = fp->f_data;
 		error = sogetopt(so, &sopt);
 		*valsize = sopt.sopt_valsize;
diff --git a/sys/sys/sockopt.h b/sys/sys/sockopt.h
--- a/sys/sys/sockopt.h
+++ b/sys/sys/sockopt.h
@@ -35,6 +35,7 @@
 #error "no user-serviceable parts inside"
 #endif
 
+struct cap_rights;
 struct thread;
 struct socket;
 
@@ -50,6 +51,7 @@
 	int	sopt_name;	/* third arg of [gs]etsockopt */
 	void   *sopt_val;	/* fourth arg of [gs]etsockopt */
 	size_t	sopt_valsize;	/* (almost) fifth arg of [gs]etsockopt */
+	struct cap_rights *sopt_rights; /* Capsicum rights attached to the fd */
 	struct	thread *sopt_td; /* calling thread or null if kernel */
 };