diff --git a/doc/aa-chroot.pod b/doc/aa-chroot.pod
new file mode 100644
index 0000000..2bc0fc6
--- /dev/null
+++ b/doc/aa-chroot.pod
@@ -0,0 +1,30 @@
+=head1 NAME
+
+aa-chroot - Execute command within given chroot jail
+
+=head1 SYNOPSIS
+
+B<aa-chroot> I<NEWROOT> I<COMMAND> [I<ARG...>]
+
+=head1 OPTIONS
+
+=over
+
+=item B<-h, --help>
+
+Show help screen and exit.
+
+=item B<-V, --version>
+
+Show version information and exit.
+
+=back
+
+=head1 DESCRIPTION
+
+B<aa-chroot>(1) sets the root filesytem for the current process to I<NEWROOT>,
+which must exists, goes into this directory, chroots into it and chdir into the
+(new) root ("/"). It then executes into I<COMMAND> (searched under the new root)
+with the given I<ARG> (if any).
+
+Note that B<aa-chroot>(1)'s parent process if unaffected by the change.
diff --git a/package/modes b/package/modes
index 81fbd6f..9f00ff7 100644
--- a/package/modes
+++ b/package/modes
@@ -1,3 +1,4 @@
+aa-chroot               0755
 aa-echo                 0755
 aa-enable               0755
 aa-kill                 0755
diff --git a/package/targets.mak b/package/targets.mak
index 266e6f8..5efe0bf 100644
--- a/package/targets.mak
+++ b/package/targets.mak
@@ -4,12 +4,14 @@ aa-start \
 aa-stop
 
 LIBEXEC_TARGETS := \
+aa-chroot \
 aa-echo \
 aa-kill \
 aa-pivot
 
 DOC_TARGETS := \
 anopa.1 \
+aa-chroot.1 \
 aa-echo.1 \
 aa-enable.1 \
 aa-pivot.1 \
diff --git a/src/utils/aa-chroot.c b/src/utils/aa-chroot.c
new file mode 100644
index 0000000..f3be75c
--- /dev/null
+++ b/src/utils/aa-chroot.c
@@ -0,0 +1,62 @@
+
+#define _BSD_SOURCE
+
+#include <getopt.h>
+#include <unistd.h>
+#include <skalibs/djbunix.h>
+#include <skalibs/strerr2.h>
+#include <anopa/common.h>
+
+static void
+dieusage (int rc)
+{
+    aa_die_usage (rc, "NEWROOT COMMAND [ARG...]",
+            " -h, --help                    Show this help screen and exit\n"
+            " -V, --version                 Show version information and exit\n"
+            );
+}
+
+int
+main (int argc, char * const argv[], char * const envp[])
+{
+    PROG = "aa-chroot";
+
+    for (;;)
+    {
+        struct option longopts[] = {
+            { "help",               no_argument,        NULL,   'h' },
+            { "version",            no_argument,        NULL,   'V' },
+            { NULL, 0, 0, 0 }
+        };
+        int c;
+
+        c = getopt_long (argc, argv, "hV", longopts, NULL);
+        if (c == -1)
+            break;
+        switch (c)
+        {
+            case 'h':
+                dieusage (0);
+
+            case 'V':
+                aa_die_version ();
+
+            default:
+                dieusage (1);
+        }
+    }
+    argc -= optind;
+    argv += optind;
+
+    if (argc < 2)
+        dieusage (1);
+
+    if (chdir (argv[0]) < 0)
+        strerr_diefu2sys (2, "chdir to ", argv[0]);
+    if (chroot (".") < 0)
+        strerr_diefu1sys (3, "chroot");
+    if (chdir ("/") < 0)
+        strerr_diefu1sys (3, "chdir to new root");
+    pathexec_run (argv[1], (char const * const *) argv + 1, (char const * const *) envp);
+    strerr_dieexec (4, argv[1]);
+}
diff --git a/src/utils/deps-exe/aa-chroot b/src/utils/deps-exe/aa-chroot
new file mode 100644
index 0000000..30987b4
--- /dev/null
+++ b/src/utils/deps-exe/aa-chroot
@@ -0,0 +1,2 @@
+${LIBANOPA}
+-lskarnet