diff --git a/repos/os/src/server/chroot/README b/repos/os/src/server/chroot/README
index 18af1bfe1..5843eb198 100644
--- a/repos/os/src/server/chroot/README
+++ b/repos/os/src/server/chroot/README
@@ -6,8 +6,10 @@ hierarchy of directories.
 Sessions matching policies with _path_ attributes will be "chrooted" to the
 configured policy path, sessions not matching policies with _path_ attributes
 will be chrooted into paths formed from each session label element. Sessions
-requests are downgraded to read-only requests unless matched by polices
-with an affirmative _writeable_ attribute. Sessions not matching any
+matching polices with a _path_prefix_ attribute are both rooted at the
+attribute path and in sub-directories formed by the session label.
+Sessions requests are downgraded to read-only requests unless matched by
+polices with an affirmative _writeable_ attribute. Sessions not matching any
 policy are rejected.
 
 Please note that this server is only effective for File_system servers that
diff --git a/repos/os/src/server/chroot/component.cc b/repos/os/src/server/chroot/component.cc
index 6e9baeac7..16c7d3393 100644
--- a/repos/os/src/server/chroot/component.cc
+++ b/repos/os/src/server/chroot/component.cc
@@ -112,8 +112,13 @@ struct Chroot::Main
 		Session_label const label = label_from_args(args.string());
 		Session_policy const policy(label, config_rom.xml());
 
-		/* Use a chroot path from policy */
-		if (policy.has_attribute("path")) {
+		if (policy.has_attribute("path_prefix")) {
+			/* Use a chroot path from policy and label sub-directories */
+			policy.attribute("path_prefix").value(tmp, sizeof(tmp));
+			root_path.import(tmp);
+			root_path.append(path_from_label<Path>(label.string()).string());
+		} else if (policy.has_attribute("path")) {
+			/* Use a chroot path from policy */
 			policy.attribute("path").value(tmp, sizeof(tmp));
 			root_path.import(tmp);
 		} else {