doing it

driver/docker-container/driver.go

@@ -3,6 +3,7 @@ package docker
 import (
 	"bytes"
 	"context"
+	"fmt"
 	"io"
 	"net"
 	"os"
@@ -109,11 +110,10 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 	if d.InitConfig.BuildkitFlags != nil {
 		cfg.Cmd = d.InitConfig.BuildkitFlags
 	}
-
 	useInit := true // let it cleanup exited processes created by BuildKit's container API
 	if err := l.Wrap("creating container "+d.Name, func() error {
 		hc := &container.HostConfig{
-			Privileged: true,
+			Privileged: false,
 			Mounts: []mount.Mount{
 				{
 					Type:   mount.TypeVolume,
@@ -135,19 +135,25 @@ func (d *Driver) create(ctx context.Context, l progress.SubLogger) error {
 					hc.CgroupParent = d.cgroupParent
 				}
 			}
-
 			secOpts, err := dockertypes.DecodeSecurityOptions(info.SecurityOptions)
 			if err != nil {
 				return err
 			}
 			for _, f := range secOpts {
+				fmt.Println(f)
 				if f.Name == "userns" {
 					hc.UsernsMode = "host"
 					break
 				}
 			}
-
+			//hc.SecurityOpt=["seccomp:unconfined" "apparmor:unconfined" "systempaths:unconfined"]
+			hc.SecurityOpt = append(hc.SecurityOpt, "seccomp=unconfined")
+			hc.SecurityOpt = append(hc.SecurityOpt, "apparmor=unconfined")
+			hc.SecurityOpt = append(hc.SecurityOpt, "systempaths=unconfined")
+			hc.Privileged = false
 		}
+		fmt.Println(cfg)
+		fmt.Println(hc)
 		_, err := d.DockerAPI.ContainerCreate(ctx, cfg, hc, &network.NetworkingConfig{}, nil, d.Name)
 		if err != nil && !errdefs.IsConflict(err) {
 			return err
@@ -273,6 +279,7 @@ func (d *Driver) run(ctx context.Context, cmd []string, stdout, stderr io.Writer
 	if resp.ExitCode != 0 {
 		return errors.Errorf("exit code %d", resp.ExitCode)
 	}
+	fmt.Println("did I get in here")
 	return nil
 }