diff --git a/oslo_rootwrap/tests/test_rootwrap.py b/oslo_rootwrap/tests/test_rootwrap.py
index 3bd2a76..52dfaf9 100644
--- a/oslo_rootwrap/tests/test_rootwrap.py
+++ b/oslo_rootwrap/tests/test_rootwrap.py
@@ -29,6 +29,22 @@ from oslo_rootwrap import subprocess
 from oslo_rootwrap import wrapper
 
 
+class RootwrapLoaderTestCase(testtools.TestCase):
+
+    def test_privsep_in_loader(self):
+        privsep = ["privsep-helper", "--context", "foo"]
+        filterlist = wrapper.load_filters([])
+
+        # mock out get_exec because
+        with mock.patch.object(filters.CommandFilter, 'get_exec') as ge:
+            ge.return_value = "/fake/privsep-helper"
+            filtermatch = wrapper.match_filter(filterlist, privsep)
+
+            self.assertIsNotNone(filtermatch)
+            self.assertEqual(filtermatch.get_command(privsep),
+                             ["/fake/privsep-helper", "--context", "foo"])
+
+
 class RootwrapTestCase(testtools.TestCase):
     if os.path.exists('/sbin/ip'):
         _ip = '/sbin/ip'
diff --git a/oslo_rootwrap/wrapper.py b/oslo_rootwrap/wrapper.py
index 2846011..cd7a253 100644
--- a/oslo_rootwrap/wrapper.py
+++ b/oslo_rootwrap/wrapper.py
@@ -125,6 +125,10 @@ def load_filters(filters_path):
                     continue
                 newfilter.name = name
                 filterlist.append(newfilter)
+    # And always include privsep-helper
+    privsep = build_filter("CommandFilter", "privsep-helper", "root")
+    privsep.name = "privsep-helper"
+    filterlist.append(privsep)
     return filterlist