diff --git a/etc/nova/rootwrap.d/compute.filters b/etc/nova/rootwrap.d/compute.filters
index 3405374b8ba9..24de2873805a 100644
--- a/etc/nova/rootwrap.d/compute.filters
+++ b/etc/nova/rootwrap.d/compute.filters
@@ -57,10 +57,6 @@ iscsiadm: CommandFilter, iscsiadm, root
 aoe-revalidate: CommandFilter, aoe-revalidate, root
 aoe-discover: CommandFilter, aoe-discover, root
 
-# nova/virt/xenapi/vm_utils.py: parted, --script, ...
-# nova/virt/xenapi/vm_utils.py: 'parted', '--script', dev_path, ..*.
-parted: CommandFilter, parted, root
-
 # nova/virt/xenapi/vm_utils.py: 'pygrub', '-qn', dev_path
 pygrub: CommandFilter, pygrub, root
 
diff --git a/nova/privsep/fs.py b/nova/privsep/fs.py
index 4707598c7e60..06ef5a665b26 100644
--- a/nova/privsep/fs.py
+++ b/nova/privsep/fs.py
@@ -195,3 +195,18 @@ def unprivileged_list_partitions(device):
         partitions.append((num, start, size, fstype, name, flags))
 
     return partitions
+
+
+@nova.privsep.sys_admin_pctxt.entrypoint
+def resize_partition(device, start, end, bootable):
+    return unprivileged_resize_partition(device, start, end, bootable)
+
+
+# NOTE(mikal): this method is deliberately not wrapped in a privsep entrypoint
+def unprivileged_resize_partition(device, start, end, bootable):
+    processutils.execute('parted', '--script', device, 'rm', '1')
+    processutils.execute('parted', '--script', device, 'mkpart',
+                         'primary', '%ds' % start, '%ds' % end)
+    if bootable:
+        processutils.execute('parted', '--script', device,
+                             'set', '1', 'boot', 'on')
diff --git a/nova/tests/unit/virt/xenapi/test_vm_utils.py b/nova/tests/unit/virt/xenapi/test_vm_utils.py
index 98cabf64052d..75ab72a4ba3d 100644
--- a/nova/tests/unit/virt/xenapi/test_vm_utils.py
+++ b/nova/tests/unit/virt/xenapi/test_vm_utils.py
@@ -369,22 +369,22 @@ class ResizeHelpersTestCase(VMUtilsTestBase):
         utils.execute('parted', '--script', path, 'set', '1',
             'boot', 'on', run_as_root=True)
 
-    def test_resize_part_and_fs_down_succeeds(self):
-        self.mox.StubOutWithMock(vm_utils, "_repair_filesystem")
-        self.mox.StubOutWithMock(utils, 'execute')
+    @mock.patch('nova.privsep.fs.resize_partition')
+    @mock.patch.object(vm_utils, '_repair_filesystem')
+    @mock.patch.object(utils, 'execute')
+    def test_resize_part_and_fs_down_succeeds(self, mock_execute, mock_repair,
+                                              mock_resize):
+        dev_path = '/dev/fake'
+        partition_path = '%s1' % dev_path
+        vm_utils._resize_part_and_fs('fake', 0, 20, 10, 'boot')
 
-        dev_path = "/dev/fake"
-        partition_path = "%s1" % dev_path
-        vm_utils._repair_filesystem(partition_path)
-        self._call_tune2fs_remove_journal(partition_path)
-        utils.execute("resize2fs", partition_path, "10s", run_as_root=True)
-        self._call_parted_mkpart(dev_path, 0, 9)
-        self._call_parted_boot_flag(dev_path)
-        self._call_tune2fs_add_journal(partition_path)
-
-        self.mox.ReplayAll()
-
-        vm_utils._resize_part_and_fs("fake", 0, 20, 10, "boot")
+        mock_execute.assert_has_calls([
+            mock.call('tune2fs', '-O ^has_journal', partition_path,
+                      run_as_root=True),
+            mock.call('resize2fs', partition_path, '10s', run_as_root=True),
+            mock.call('tune2fs', '-j', partition_path, run_as_root=True)])
+        mock_resize.assert_has_calls([
+            mock.call(dev_path, 0, 9, True)])
 
     def test_log_progress_if_required(self):
         self.mox.StubOutWithMock(vm_utils.LOG, "debug")
@@ -427,21 +427,22 @@ class ResizeHelpersTestCase(VMUtilsTestBase):
                           vm_utils._resize_part_and_fs,
                           "fake", 0, 20, 10, "boot")
 
-    def test_resize_part_and_fs_up_succeeds(self):
-        self.mox.StubOutWithMock(vm_utils, "_repair_filesystem")
-        self.mox.StubOutWithMock(utils, 'execute')
+    @mock.patch('nova.privsep.fs.resize_partition')
+    @mock.patch.object(vm_utils, '_repair_filesystem')
+    @mock.patch.object(utils, 'execute')
+    def test_resize_part_and_fs_up_succeeds(self, mock_execute, mock_repair,
+                                            mock_resize):
+        dev_path = '/dev/fake'
+        partition_path = '%s1' % dev_path
+        vm_utils._resize_part_and_fs('fake', 0, 20, 30, '')
 
-        dev_path = "/dev/fake"
-        partition_path = "%s1" % dev_path
-        vm_utils._repair_filesystem(partition_path)
-        self._call_tune2fs_remove_journal(partition_path)
-        self._call_parted_mkpart(dev_path, 0, 29)
-        utils.execute("resize2fs", partition_path, run_as_root=True)
-        self._call_tune2fs_add_journal(partition_path)
-
-        self.mox.ReplayAll()
-
-        vm_utils._resize_part_and_fs("fake", 0, 20, 30, "")
+        mock_execute.assert_has_calls([
+            mock.call('tune2fs', '-O ^has_journal', partition_path,
+                      run_as_root=True),
+            mock.call('resize2fs', partition_path, run_as_root=True),
+            mock.call('tune2fs', '-j', partition_path, run_as_root=True)])
+        mock_resize.assert_has_calls([
+            mock.call(dev_path, 0, 29, False)])
 
     def test_resize_disk_throws_on_zero_size(self):
         flavor = fake_flavor.fake_flavor_obj(self.context, root_gb=0)
diff --git a/nova/virt/xenapi/vm_utils.py b/nova/virt/xenapi/vm_utils.py
index ae8364fba852..1df21eda5e4c 100644
--- a/nova/virt/xenapi/vm_utils.py
+++ b/nova/virt/xenapi/vm_utils.py
@@ -2317,17 +2317,8 @@ def _resize_part_and_fs(dev, start, old_sectors, new_sectors, flags):
                        "enough free space on your disk.")
             raise exception.ResizeError(reason=reason)
 
-    utils.execute('parted', '--script', dev_path, 'rm', '1',
-                  run_as_root=True)
-    utils.execute('parted', '--script', dev_path, 'mkpart',
-                  'primary',
-                  '%ds' % start,
-                  '%ds' % end,
-                  run_as_root=True)
-    if "boot" in flags.lower():
-        utils.execute('parted', '--script', dev_path,
-                      'set', '1', 'boot', 'on',
-                      run_as_root=True)
+    nova.privsep.fs.resize_partition(dev_path, start, end,
+                                     'boot' in flags.lower())
 
     if new_sectors > old_sectors:
         # Resizing up, resize filesystem after partition resize
diff --git a/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml b/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml
index 5bb8b1be165f..0525c4020f06 100644
--- a/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml
+++ b/releasenotes/notes/privsep-queens-rootwrap-adds-907aa1bc8e3eb2ca.yaml
@@ -12,5 +12,5 @@ upgrade:
     The following commands are no longer required to be listed in your rootwrap
     configuration: blkid; blockdev; cat; chown; cryptsetup; dd; ebrctl; ifc_ctl;
     kpartx; losetup; lvcreate; lvremove; lvs; mkdir; mm-ctl; mount;
-    nova-idmapshift; ploop; prl_disk_tool; qemu-nbd; readlink; shred; tee;
+    nova-idmapshift; parted; ploop; prl_disk_tool; qemu-nbd; readlink; shred; tee;
     touch; umount; vgs; vrouter-port-control; and xend.