diff --git a/daemon/container.go b/daemon/container.go
index 5ea2df2af5b5a8ea2707ff888805254ca6023da7..042f4f025b6d2b5aa4863b0760703cb0a60cdc47 100644
--- a/daemon/container.go
+++ b/daemon/container.go
@@ -77,6 +77,7 @@ type Container struct {
 
 	daemon                   *Daemon
 	MountLabel, ProcessLabel string
+	AppArmorProfile          string
 	RestartCount             int
 
 	// Maps container paths to volume paths.  The key in this is the path to which
@@ -275,6 +276,7 @@ func populateCommand(c *Container, env []string) error {
 		ProcessLabel:       c.GetProcessLabel(),
 		MountLabel:         c.GetMountLabel(),
 		LxcConfig:          lxcConfig,
+		AppArmorProfile:    c.AppArmorProfile,
 	}
 
 	return nil
diff --git a/daemon/daemon.go b/daemon/daemon.go
index 267763fd06d4f3d41c9576cd2580139833b50705..b47498b2e1142dafaf3a787273480cb089c0328d 100644
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@@ -561,8 +561,16 @@ func (daemon *Daemon) newContainer(name string, config *runconfig.Config, img *i
 
 	for _, opt := range config.SecurityOpt {
 		con := strings.SplitN(opt, ":", 2)
-		if con[0] == "label" {
+		if len(con) == 1 {
+			return nil, fmt.Errorf("Invalid --security-opt: %q", opt)
+		}
+		switch con[0] {
+		case "label":
 			label_opts = append(label_opts, con[1])
+		case "apparmor":
+			container.AppArmorProfile = con[1]
+		default:
+			return nil, fmt.Errorf("Invalid --security-opt: %q", opt)
 		}
 	}
 
diff --git a/daemon/execdriver/driver.go b/daemon/execdriver/driver.go
index 6a7e79eca6bae52beaa99e51cc2ab62bc7e74b0c..0be2d50dc473719f0bb44b6a001e218bc0c65d65 100644
--- a/daemon/execdriver/driver.go
+++ b/daemon/execdriver/driver.go
@@ -116,4 +116,5 @@ type Command struct {
 	ProcessLabel       string            `json:"process_label"`
 	MountLabel         string            `json:"mount_label"`
 	LxcConfig          []string          `json:"lxc_config"`
+	AppArmorProfile    string            `json:"apparmor_profile"`
 }
diff --git a/daemon/execdriver/lxc/driver.go b/daemon/execdriver/lxc/driver.go
index abb74bf5791a1130981888bbfa0c4781f87ebf80..0809b05c1eaa2ac4588993f30c3cacd3df91775b 100644
--- a/daemon/execdriver/lxc/driver.go
+++ b/daemon/execdriver/lxc/driver.go
@@ -409,10 +409,7 @@ func rootIsShared() bool {
 }
 
 func (d *driver) generateLXCConfig(c *execdriver.Command) (string, error) {
-	var (
-		root       = path.Join(d.root, "containers", c.ID, "config.lxc")
-		label_opts []string
-	)
+	root := path.Join(d.root, "containers", c.ID, "config.lxc")
 
 	fo, err := os.Create(root)
 	if err != nil {
diff --git a/daemon/execdriver/native/create.go b/daemon/execdriver/native/create.go
index c3abb9a75b128fb13ec591062ab05822d91a0c04..4f325353e9f0dc3d325c6f405d629da4d36051f1 100644
--- a/daemon/execdriver/native/create.go
+++ b/daemon/execdriver/native/create.go
@@ -49,6 +49,10 @@ func (d *driver) createContainer(c *execdriver.Command) (*libcontainer.Config, e
 		}
 	}
 
+	if c.AppArmorProfile != "" {
+		container.AppArmorProfile = c.AppArmorProfile
+	}
+
 	if err := d.setupCgroups(container, c); err != nil {
 		return nil, err
 	}