diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 94df6f8b90..977497af29 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -1395,7 +1395,18 @@
rawio='yes', rawio capability will be enabled for all disks in
the domain (because, in the case of QEMU, this capability can
only be set on a per-process basis). This attribute is only
- valid when device is "lun".
+ valid when device is "lun". NB, rawio intends to
+ confine the capability per-device, however, current QEMU
+ implementation gives the domain process broader capability
+ than that (per-process basis, affects all the domain disks).
+ To confine the capability as much as possible for QEMU driver
+ as this stage, sgio is recommended, it's more
+ secure than rawio.
+ The optional sgio (since 1.0.2)
+ attribute indicates whether the kernel will filter unprivileged
+ SG_IO commands for the disk, valid settings are "filtered" or
+ "unfiltered". Defaults to "filtered". Similar to rawio,
+ sgio is only valid for device 'lun'.
The optional snapshot attribute indicates the default
behavior of the disk during disk snapshots: "internal"
requires a file format such as qcow2 that can store both the
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 0529d627e1..7a9778159f 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -971,24 +971,42 @@
-->
-
-
-
- floppy
- disk
- cdrom
- lun
-
-
-
-
-
-
- yes
- no
-
-
-
+
+
+
+
+
+ floppy
+ disk
+ cdrom
+
+
+
+
+
+
+
+ lun
+
+
+
+
+
+ yes
+ no
+
+
+
+
+
+
+ filtered
+ unfiltered
+
+
+
+
+