diff --git a/file-seccomp.patch b/file-seccomp.patch
new file mode 100644
index 0000000..4fd5c65
--- /dev/null
+++ b/file-seccomp.patch
@@ -0,0 +1,35 @@
+From 3cb58bb51d47b8e61611350324b751eaa46166a5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= <crrodriguez@opensuse.org>
+Date: Fri, 8 Nov 2024 08:28:12 +0100
+Subject: [PATCH] Allow getrandom, rseq, and prctl for glibc malloc
+
+glibc uses getrandom in malloc, rseq, and prctl in various other
+places, allow these syscalls in seccomp filter.
+
+```
+export GLIBC_TUNABLES=glibc.mem.decorate_maps=1
+make check
+```
+
+Signed-off-by: Werner Fink <werner@suse.de>
+---
+ src/seccomp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/seccomp.c b/src/seccomp.c
+index ce824330..8a2c8a4c 100644
+--- a/src/seccomp.c
++++ b/src/seccomp.c
+@@ -80,6 +80,9 @@ enable_sandbox(void)
+ 	if (ctx == NULL)
+ 		return -1;
+ 
++	ALLOW_RULE(prctl);
++	ALLOW_RULE(getrandom);
++	ALLOW_RULE(rseq);
+ 	ALLOW_RULE(access);
+ 	ALLOW_RULE(brk);
+ 	ALLOW_RULE(close);
+-- 
+2.43.0
+
diff --git a/file.changes b/file.changes
index 4f85e60..b066ee7 100644
--- a/file.changes
+++ b/file.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Nov  7 20:11:48 UTC 2024 - Cristian Rodríguez <crrodriguez@opensuse.org>
+
+- file-seccomp.patch: glibc uses getrandom in malloc, rseq and prctl
+  in various other places, allow these syscalls in seccomp filter.
+
 -------------------------------------------------------------------
 Mon Feb 26 09:11:40 UTC 2024 - Dr. Werner Fink <werner@suse.de>
 
diff --git a/file.spec b/file.spec
index 75b6d53..60c4a92 100644
--- a/file.spec
+++ b/file.spec
@@ -65,6 +65,7 @@ Patch37:        file-secure_getenv.patch
 Patch39:        file-5.28-btrfs-image.dif
 # PATCH-FIX-UPSTREAM: Support max time_t on 32bit
 Patch42:        file-5.45-type_t.dif
+Patch43:        file-seccomp.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %global         _sysconfdir /etc
 %global         magicdir    %{_datadir}/file
@@ -129,6 +130,7 @@ to develop applications that require the magic "file" interface.
 %patch -P 37 -p1 -b .getenv
 %patch -P 39 -p1 -b .btrfs
 %patch -P 0 -b .0
+%patch -P 43 -p1 -b .seccomp
 test -s src/magic.h.in || cp -p src/magic.h src/magic.h.in
 rm -fv src/magic.h
 
@@ -162,6 +164,8 @@ install -s dcore %{buildroot}%{_bindir}
 rm -f %{buildroot}%{_libdir}/*.la
 
 %check
+# Test if prctl is still allowed by the seccomp filter.
+export GLIBC_TUNABLES=glibc.mem.decorate_maps=1
 # Standard checks
 make check
 # Check out that the binary does not bail out:
@@ -174,6 +178,7 @@ for dir in %{_bindir} /%{_lib} %{_libdir} ; do
 	xargs %{buildroot}%{_bindir}/file -m %{buildroot}%{_miscdir}/magic
 done
 unset LD_LIBRARY_PATH
+unset GLIBC_TUNABLES
 
 %post -n %libname -p /sbin/ldconfig