diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
index c61ad1405f..f4dab90707 100644
--- a/daemon/apparmor_default.go
+++ b/daemon/apparmor_default.go
@@ -5,7 +5,6 @@ package daemon
 import (
 	"fmt"
 
-	"github.com/containerd/containerd/v2/pkg/apparmor"
 	"github.com/moby/moby/v2/daemon/internal/rootless"
 	aaprofile "github.com/moby/profiles/apparmor"
 )
@@ -18,11 +17,7 @@ const (
 
 // DefaultApparmorProfile returns the name of the default apparmor profile
 func DefaultApparmorProfile() string {
-	if apparmor.HostSupports() {
-		if detachedNetNS, _ := rootless.DetachedNetNS(); detachedNetNS != "" {
-			// AppArmor is inaccessible with detached-netns because sysfs is netns-scoped.
-			return ""
-		}
+	if appArmorSupported() {
 		return defaultAppArmorProfile
 	}
 	return ""
@@ -55,7 +50,7 @@ func installDefaultAppArmorProfile() error {
 }
 
 func defaultAppArmorProfileSupported() bool {
-	hostSupports := apparmor.HostSupports()
+	hostSupports := appArmorSupported()
 	if hostSupports {
 		if detachedNetNS, _ := rootless.DetachedNetNS(); detachedNetNS != "" {
 			// "open /sys/kernel/security/apparmor/profiles: permission denied"
diff --git a/daemon/apparmor_linux.go b/daemon/apparmor_linux.go
new file mode 100644
index 0000000000..efc553cd3e
--- /dev/null
+++ b/daemon/apparmor_linux.go
@@ -0,0 +1,16 @@
+package daemon
+
+import (
+	"github.com/containerd/containerd/v2/pkg/apparmor"
+	"github.com/moby/moby/v2/daemon/internal/rootless"
+)
+
+// appArmorSupported returns true if AppArmor is supported and accessible on the host.
+func appArmorSupported() bool {
+	if detachedNetNS, _ := rootless.DetachedNetNS(); detachedNetNS != "" {
+		// AppArmor is inaccessible with detached-netns because sysfs is netns-scoped.
+		// https://github.com/moby/moby/issues/52626
+		return false
+	}
+	return apparmor.HostSupports()
+}
diff --git a/daemon/apparmor_unsupported.go b/daemon/apparmor_unsupported.go
new file mode 100644
index 0000000000..807c325e9e
--- /dev/null
+++ b/daemon/apparmor_unsupported.go
@@ -0,0 +1,8 @@
+//go:build !linux
+
+package daemon
+
+// appArmorSupported returns true if AppArmor is supported and accessible on the host.
+func appArmorSupported() bool {
+	return false
+}
diff --git a/daemon/exec_linux.go b/daemon/exec_linux.go
index d97d4fd6d4..d870bb08c2 100644
--- a/daemon/exec_linux.go
+++ b/daemon/exec_linux.go
@@ -4,7 +4,6 @@ import (
 	"context"
 
 	containerd "github.com/containerd/containerd/v2/client"
-	"github.com/containerd/containerd/v2/pkg/apparmor"
 	coci "github.com/containerd/containerd/v2/pkg/oci"
 	"github.com/moby/moby/v2/daemon/config"
 	"github.com/moby/moby/v2/daemon/container"
@@ -66,7 +65,7 @@ func (daemon *Daemon) execSetPlatformOpt(ctx context.Context, daemonCfg *config.
 		}
 	}
 
-	if apparmor.HostSupports() {
+	if appArmorSupported() {
 		var appArmorProfile string
 		if ec.Container.AppArmorProfile != "" {
 			appArmorProfile = ec.Container.AppArmorProfile
diff --git a/daemon/exec_linux_test.go b/daemon/exec_linux_test.go
index 8c4614c694..92bec54d35 100644
--- a/daemon/exec_linux_test.go
+++ b/daemon/exec_linux_test.go
@@ -6,7 +6,6 @@ import (
 	"context"
 	"testing"
 
-	"github.com/containerd/containerd/v2/pkg/apparmor"
 	containertypes "github.com/moby/moby/api/types/container"
 	"github.com/moby/moby/v2/daemon/container"
 	"github.com/opencontainers/runtime-spec/specs-go"
@@ -14,7 +13,7 @@ import (
 )
 
 func TestExecSetPlatformOptAppArmor(t *testing.T) {
-	appArmorEnabled := apparmor.HostSupports()
+	appArmorEnabled := appArmorSupported()
 
 	tests := []struct {
 		doc             string
diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
index 668891e267..d01988f966 100644
--- a/daemon/oci_linux.go
+++ b/daemon/oci_linux.go
@@ -12,13 +12,11 @@ import (
 
 	cdcgroups "github.com/containerd/cgroups/v3"
 	"github.com/containerd/containerd/v2/core/containers"
-	"github.com/containerd/containerd/v2/pkg/apparmor"
 	coci "github.com/containerd/containerd/v2/pkg/oci"
 	"github.com/containerd/log"
 	containertypes "github.com/moby/moby/api/types/container"
 	dconfig "github.com/moby/moby/v2/daemon/config"
 	"github.com/moby/moby/v2/daemon/container"
-	"github.com/moby/moby/v2/daemon/internal/rootless"
 	"github.com/moby/moby/v2/daemon/internal/rootless/mountopts"
 	"github.com/moby/moby/v2/daemon/internal/rootless/specconv"
 	"github.com/moby/moby/v2/daemon/pkg/oci"
@@ -126,11 +124,7 @@ func WithSelinux(c *container.Container) coci.SpecOpts {
 // WithApparmor sets the apparmor profile
 func WithApparmor(c *container.Container) coci.SpecOpts {
 	return func(ctx context.Context, _ coci.Client, _ *containers.Container, s *coci.Spec) error {
-		if apparmor.HostSupports() {
-			// AppArmor is inaccessible with detached-netns because sysfs is netns-scoped.
-			if detachedNetNS, _ := rootless.DetachedNetNS(); detachedNetNS != "" {
-				return nil
-			}
+		if appArmorSupported() {
 			var appArmorProfile string
 			if c.AppArmorProfile != "" {
 				appArmorProfile = c.AppArmorProfile