config-linux.md: formalize the order of seccomp.syscalls

Corresponds to the behavior of existing implementations such as runc

Signed-off-by: Akihiro Suda <[email protected]>

Author: AkihiroSuda

config-linux.md

@@ -718,6 +718,7 @@ The following parameters can be specified to set up seccomp:
     This field MUST NOT be set if `listenerPath` is not set.
 
 * **`syscalls`** *(array of objects, OPTIONAL)* - match a syscall in seccomp.
+    When the syscall matches multiple entries, only the first entry is effective.
     While this property is OPTIONAL, some values of `defaultAction` are not useful without `syscalls` entries.
     For example, if `defaultAction` is `SCMP_ACT_KILL` and `syscalls` is empty or unset, the kernel will kill the container process on its first syscall.
     Each entry has the following structure: