Seccomp policy violation when using strict confinement

I have developed a snap app and have used the devmode install option. I am now attempting to build and deploy with strict confinement. Below I have provided version info and Seccomp fault.

Can anyone direct me to tutorial to build policy overrides into a snap interface? I have seen it mentioned on but am relatively new to building interfaces.

Also, I have seen others have had issue with the setgroups call violation with Seccomp. I am not sure if this is still an outstanding issue.

My app does not specifically use a call to setgroups but is simply attempting to read the product serial number with the following system command:
sudo cat /sys/class/dmi/id/product_serial

version info:
Linux version 4.4.0-139-generic (buildd@lcy01-amd64-006) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10) ) #165-Ubuntu SMP Wed Oct 24 10:58:50 UTC 2018

snap 2.36.1
snapd 2.36.1
series 16
kernel 4.4.0-139-generic

Seccomp denial:
admin@CRMYB02:~$ sudo scanlog niagara
INFO: following ‘/var/log/syslog’. If have dropped messages, use:
INFO: $ sudo journalctl --output=short --follow --all | sudo scanlog
kernel.printk_ratelimit = 0
= Seccomp =
Time: Nov 29 03:04:15
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=7871 comm=“sudo” exe="/usr/bin/sudo" sig=0 arch=c000003e 116(setgroups) compat=0 ip=0x7f195c68cf09 code=0x50000
Syscall: setgroups

setgroups is problematic and is discussed here: Seccomp filtering for setgroups (it even includes a workaround for the issue by using LD_PRELOAD to stub out setgroups).

This also isn’t the correct message for setgroups. I’ll adjust snappy-debug accordingly.