diff --git a/daemon/execdriver/utils.go b/daemon/execdriver/utils.go
index 90c5177421..2fb431f17b 100644
--- a/daemon/execdriver/utils.go
+++ b/daemon/execdriver/utils.go
@@ -38,7 +38,7 @@ func TweakCapabilities(basics, adds, drops []string) ([]string, error) {
 
 			// if we don't drop `all`, add back all the non-dropped caps
 			if !utils.StringsContainsNoCase(drops, cap) {
-				newCaps = append(newCaps, cap)
+				newCaps = append(newCaps, strings.ToUpper(cap))
 			}
 		}
 	}
@@ -56,7 +56,7 @@ func TweakCapabilities(basics, adds, drops []string) ([]string, error) {
 
 		// add cap if not already in the list
 		if !utils.StringsContainsNoCase(newCaps, cap) {
-			newCaps = append(newCaps, cap)
+			newCaps = append(newCaps, strings.ToUpper(cap))
 		}
 	}
 	return newCaps, nil
diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go
index dba8e7fe28..d01c00ad6b 100644
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@@ -808,6 +808,21 @@ func TestCapDropCannotMknod(t *testing.T) {
 	logDone("run - test --cap-drop=MKNOD cannot mknod")
 }
 
+func TestCapDropCannotMknodLowerCase(t *testing.T) {
+	cmd := exec.Command(dockerBinary, "run", "--cap-drop=mknod", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
+	out, _, err := runCommandWithOutput(cmd)
+	if err == nil {
+		t.Fatal(err, out)
+	}
+
+	if actual := strings.Trim(out, "\r\n"); actual == "ok" {
+		t.Fatalf("expected output not ok received %s", actual)
+	}
+	deleteAllContainers()
+
+	logDone("run - test --cap-drop=mknod cannot mknod lowercase")
+}
+
 func TestCapDropALLCannotMknod(t *testing.T) {
 	cmd := exec.Command(dockerBinary, "run", "--cap-drop=ALL", "busybox", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok")
 	out, _, err := runCommandWithOutput(cmd)