diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index ee78e49a3..4ed65f63a 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1873,8 +1873,27 @@ dev/null proc/kcore none bind,relative 0 0
2
blacklist
mknod errno 0
+ ioctl notify
+
+ Specifying "errno" as action will cause LXC to register a seccomp filter
+ that will cause a specific errno to be returned ot the caller. The errno
+ value can be specified after the "errno" action word.
+
+
+
+ Specifying "notify" as action will cause LXC to register a seccomp
+ listener and retrieve a listener file descriptor from the kernel. When a
+ syscall is made that is registered as "notify" the kernel will generate a
+ poll event and send a message over the file descriptor. The caller can
+ read this message, inspect the syscalls including its arguments. Based on
+ this information the caller is expected to send back a message informing
+ the kernel which action to take. Until that message is sent the kernel
+ will block the calling process. The format of the messages to read and
+ sent is documented in seccomp itself.
+
+
@@ -1900,6 +1919,20 @@ dev/null proc/kcore none bind,relative 0 0
+
+
+
+
+
+
+ Specify a unix socket to which LXC will connect and forward
+ seccomp events to. The path must by in the form
+ unix:/path/to/socket or unix:@socket. The former specifies a
+ path-bound unix domain socket while the latter specifies an
+ abstract unix domain socket.
+
+
+