seccomp_unotify.2: NOTES: describe an example use-case

The container manager use case was the original motivation
for this feature.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

man2/seccomp_unotify.2

@@ -634,6 +634,29 @@ or the target has terminated.
 .\"     whether the target thread has picked up the response yet
 .RE
 .SH NOTES
+One example use case for the user-space notification
+mechanism is to allow a container manager
+(a process which is typically running with more privilege than
+the processes inside the container)
+to mount block devices or create device nodes for the container.
+The mount use case provides an example of where the
+.BR SECCOMP_USER_NOTIF_FLAG_CONTINUE
+.BR ioctl (2)
+operation is useful.
+Upon receiving a notification for the
+.BR mount (2)
+system call, the container manager (the "supervisor") can distinguish
+a request to mount a block filesystem
+(which would not be possible for a "target" process inside the container)
+and mount that file system.
+If, on the other hand, the container manager detects that the operation
+could be performed by the process inside the container
+(e.g., a mount of a
+.BR tmpfs (5)
+filesystem), it can notify the kernel that the target process's
+.BR mount (2)
+system call can continue.
+.\"
 .SS select()/poll()/epoll semantics
 The file descriptor returned when
 .BR seccomp (2)