Well, first of all RancherOS has 2 docker daemons running.
One of 'system' containers and one for 'user' containers.
If I'm not mistaken system containers already have some special options passed to the run command. Maybe even different options for different system containers, I don't remember right now.
But I'm pretty sure the goal is to allow the person or process that runs the container to specify any options.
So I guess I'm wrong thinking Docker already supported seccomp ?
Or was that only with the older LXC-backend ?