From 1770f630f01a6c3c716f74bbe72f3a8c9e9372ba Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Fri, 2 Sep 2022 14:15:25 +0900
Subject: [PATCH] config-linux.md: formalize the order of seccomp.syscalls

Corresponds to the behavior of existing implementations such as runc

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 config-linux.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config-linux.md b/config-linux.md
index 178361f34..7f135cb5b 100644
--- a/config-linux.md
+++ b/config-linux.md
@@ -718,6 +718,7 @@ The following parameters can be specified to set up seccomp:
     This field MUST NOT be set if `listenerPath` is not set.
 
 * **`syscalls`** *(array of objects, OPTIONAL)* - match a syscall in seccomp.
+    When the syscall matches multiple entries, only the first entry is effective.
     While this property is OPTIONAL, some values of `defaultAction` are not useful without `syscalls` entries.
     For example, if `defaultAction` is `SCMP_ACT_KILL` and `syscalls` is empty or unset, the kernel will kill the container process on its first syscall.
     Each entry has the following structure: