Use of journalctl from within a snap

I need to call journalctl from within my snap. At the moment it only works do if I run in devmode and run the command using ‘sudo journalctl’. I ultimately want to run my snap in strict confinement. I am connecting to the log-observe interface but I think I probably need to add something to the stage-packages in my snapcraft.yaml and also some interfaces. I would appreciate any suggestions.

Here are the confinement warnings I get when I run in strict confinement:

Log: apparmor=“DENIED” operation=“exec” profile=“snap.epi-logstream.main” name="/usr/bin/sudo" pid=5483 comm=“java” requested_mask=“x” denied_mask=“x” fsuid=1000 ouid=0 File: /usr/bin/sudo (exec) Suggestions:

• adjust snap to ship ‘sudo’
• adjust program to use relative paths if the snap already ships ‘sudo’

Log: apparmor=“DENIED” operation=“open” profile=“snap.epi-logstream.main” name="/proc/5466/coredump_filter" pid=5467 comm=“java” requested_mask=“wr” denied_mask=“wr” fsuid=1000 ouid=1000 File: /proc/5466/coredump_filter (write) Suggestion:

• adjust program to not access ‘@{PROC}/@{pid}/coredump_filter’

assuming you are on UbuntuCore, there is no adm group … on classic Ubuntu logs are owned by this group and by default any new user is added to it, which allows normal users access to the logs … in UbuntuCore, without this group, you need to be root to open the logs …

you will need to split your app into two parts, a daemon that collects the log info for you with the correct permissions and an app that can collect them from/through that daemon …

Thank you. So for example I could use something like this to gather the logs locally (so use localhost instead of a remote server)

And then run journalctl on the snap directory from my snap because this is a journald output in my $SNAP_DATA directory so the permissions would be ok?

right, you could run the receiver as part of the user-space app …