diff --git a/driver/docker-container/driver.go b/driver/docker-container/driver.go
index 263e3cc2..1e93cb08 100644
--- a/driver/docker-container/driver.go
+++ b/driver/docker-container/driver.go
@@ -8,6 +8,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"sync/atomic"
 	"time"
@@ -41,6 +42,7 @@ type Driver struct {
 	netMode      string
 	image        string
 	cgroupParent string
+	securityOpts map[string]string
 	env          []string
 }
 
@@ -112,7 +114,7 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 	useInit := true // let it cleanup exited processes created by BuildKit's container API
 	if err := l.Wrap("creating container "+d.Name, func() error {
 		hc := &container.HostConfig{
-			Privileged: false,
+			Privileged: true,
 			Mounts: []mount.Mount{
 				{
 					Type:   mount.TypeVolume,
@@ -126,6 +128,13 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 			hc.NetworkMode = container.NetworkMode(d.netMode)
 		}
 		if info, err := d.DockerAPI.Info(ctx); err == nil {
+			secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions)
+			l.Wrap("driverOpts"+info.CgroupDriver, func() error {
+				return nil
+			})
+			if err != nil {
+				return err
+			}
 			if info.CgroupDriver == "cgroupfs" {
 				// Place all buildkit containers inside this cgroup by default so limits can be attached
 				// to all build activity on the host.
@@ -134,17 +143,13 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 					hc.CgroupParent = d.cgroupParent
 				}
 			}
-			secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions)
-			if err != nil {
-				return err
-			}
 			for _, f := range secOpts {
 				if f.Name == "userns" {
 					hc.UsernsMode = "host"
 					break
 				}
 			}
-			for i, k := range d.SecurityOpts {
+			for i, k := range d.securityOpts {
 				switch {
 				case i == "systempaths":
 					hc.MaskedPaths = []string{}
diff --git a/driver/docker-container/factory.go b/driver/docker-container/factory.go
index 118d9c5a..11ebc0f0 100644
--- a/driver/docker-container/factory.go
+++ b/driver/docker-container/factory.go
@@ -40,6 +40,7 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 		return nil, errors.Errorf("%s driver requires docker API access", f.Name())
 	}
 	d := &Driver{factory: f, InitConfig: cfg}
+	d.securityOpts = make(map[string]string)
 	for k, v := range cfg.DriverOpts {
 		switch {
 		case k == "network":
@@ -57,11 +58,32 @@ func (f *factory) New(ctx context.Context, cfg driver.InitConfig) (driver.Driver
 				return nil, errors.Errorf("invalid env option %q, expecting env.FOO=bar", k)
 			}
 			d.env = append(d.env, fmt.Sprintf("%s=%s", envName, v))
+		case k == "seccomp":
+			d.securityOpts[k] = v
+		case k == "apparmor":
+			d.securityOpts[k] = v
+		case k == "systempaths":
+			d.securityOpts[k] = v
+		case k == "privileged":
+			d.securityOpts[k] = v
 		default:
 			return nil, errors.Errorf("invalid driver option %s for docker-container driver", k)
 		}
 	}
-
+	for i, _ := range cfg.SecurityOpts {
+		switch {
+		case i == "seccomp":
+			continue
+		case i == "apparmor":
+			continue
+		case i == "systempaths":
+			continue
+		case i == "privileged":
+			continue
+		default:
+			return nil, errors.Errorf("invalid Security option %s for docker-container driver", i)
+		}
+	}
 	return d, nil
 }