canonical · ZeyadYasser · Sep 25, 2024 · Aug 30, 2024 · Sep 15, 2024 · Sep 16, 2024
diff --git a/interfaces/builtin/desktop_legacy.go b/interfaces/builtin/desktop_legacy.go
@@ -20,8 +20,6 @@
 package builtin
 
 import (
-	"strings"
-
 	"github.com/snapcore/snapd/interfaces"
 	"github.com/snapcore/snapd/interfaces/apparmor"
 )
@@ -395,7 +393,7 @@ func (iface *desktopLegacyInterface) AppArmorConnectedPlug(spec *apparmor.Specif
 	// interfaces (like desktop-launch), so they are added here with the minimum
 	// priority, while those other, more privileged, interfaces will add an empty
 	// string with a bigger privilege value.
-	desktopSnippet := strings.Join(getDesktopFileRules(plug.Snap()), "\n")
+	desktopSnippet := getDesktopFileRules(plug.Snap())
 	spec.AddPrioritizedSnippet(desktopSnippet, prioritizedSnippetDesktopFileAccess, desktopLegacyAndUnity7Priority)
 
 	return nil

diff --git a/interfaces/builtin/export_test.go b/interfaces/builtin/export_test.go
@@ -152,6 +152,6 @@ func MockApparmorGenerateAAREExclusionPatterns(fn func(excludePatterns []string,
 	return testutil.Mock(&apparmorGenerateAAREExclusionPatterns, fn)
 }
 
-func MockDesktopFilesFromMount(fn func(s *snap.Info) ([]string, error)) (restore func()) {
-	return testutil.Mock(&desktopFilesFromMount, fn)
+func MockDesktopFilesFromInstalledSnap(fn func(s *snap.Info) ([]string, error)) (restore func()) {
+	return testutil.Mock(&desktopFilesFromInstalledSnap, fn)
 }
diff --git a/interfaces/builtin/unity7.go b/interfaces/builtin/unity7.go
@@ -695,7 +695,7 @@ func (iface *unity7Interface) AppArmorConnectedPlug(spec *apparmor.Specification
 	// interfaces (like desktop-launch), so they are added here with the minimum
 	// priority, while those other, more privileged, interfaces will add an empty
 	// string with a bigger privilege value.
-	desktopSnippet := strings.Join(getDesktopFileRules(plug.Snap()), "\n")
+	desktopSnippet := getDesktopFileRules(plug.Snap())
 	spec.AddPrioritizedSnippet(desktopSnippet, prioritizedSnippetDesktopFileAccess, desktopLegacyAndUnity7Priority)
 	return nil
 }

diff --git a/interfaces/builtin/utils.go b/interfaces/builtin/utils.go
@@ -79,26 +79,27 @@ func verifySlotPathAttribute(slotRef *interfaces.SlotRef, attrs interfaces.Attre
 	return cleanPath, nil
 }
 
-func getDesktopFileRulesFallback() []string {
-	return []string{
-		"# Support applications which use the unity messaging menu, xdg-mime, etc",
-		"# This leaks the names of snaps with desktop files",
-		fmt.Sprintf("%s/ r,", dirs.SnapDesktopFilesDir),
-		"# Allowing reading only our desktop files (required by (at least) the unity",
-		"# messaging menu).",
-		"# parallel-installs: this leaks read access to desktop files owned by keyed",
-		"# instances of @{SNAP_NAME} to @{SNAP_NAME} snap",
-		fmt.Sprintf("%s/@{SNAP_INSTANCE_DESKTOP}_*.desktop r,", dirs.SnapDesktopFilesDir),
-		"# Explicitly deny access to other snap's desktop files",
-		fmt.Sprintf("deny %s/@{SNAP_INSTANCE_DESKTOP}[^_.]*.desktop r,", dirs.SnapDesktopFilesDir),
-		// XXX: Do we need to generate extensive deny rules for the fallback too?
-	}
+func getDesktopFileRulesFallback() string {
+	const template = `
+# Support applications which use the unity messaging menu, xdg-mime, etc
+# This leaks the names of snaps with desktop files
+%[1]s/ r,
+# Allowing reading only our desktop files (required by (at least) the unity
+# messaging menu).
+# parallel-installs: this leaks read access to desktop files owned by keyed
+# instances of @{SNAP_NAME} to @{SNAP_NAME} snap
+%[1]s/@{SNAP_INSTANCE_DESKTOP}_*.desktop r,
+# Explicitly deny access to other snap's desktop files
+deny %[1]s/@{SNAP_INSTANCE_DESKTOP}[^_.]*.desktop r,
+`
+	// XXX: Do we need to generate extensive deny rules for the fallback too?
+	return fmt.Sprintf(template[1:], dirs.SnapDesktopFilesDir)
 }
 
 var apparmorGenerateAAREExclusionPatterns = apparmor.GenerateAAREExclusionPatterns
-var desktopFilesFromMount = func(s *snap.Info) ([]string, error) {
-	opts := snap.DesktopFilesFromMountOptions{MangleFileNames: true}
-	return s.DesktopFilesFromMount(opts)
+var desktopFilesFromInstalledSnap = func(s *snap.Info) ([]string, error) {
+	opts := snap.DesktopFilesFromInstalledSnapOptions{MangleFileNames: true}
+	return s.DesktopFilesFromInstalledSnap(opts)
 }
 
 // getDesktopFileRules generates snippet rules for allowing access to the
@@ -107,57 +108,62 @@ var desktopFilesFromMount = func(s *snap.Info) ([]string, error) {
 // to read all the desktop files in the dir, causing excessive noise. (LP: #1868051)
 //
 // The snap must be mounted.
-func getDesktopFileRules(s *snap.Info) []string {
-	baseDir := dirs.SnapDesktopFilesDir
+func getDesktopFileRules(s *snap.Info) string {
+	const template = `
+# Support applications which use the unity messaging menu, xdg-mime, etc
+# This leaks the names of snaps with desktop files
+%s/ r,
 
-	rules := []string{
-		"# Support applications which use the unity messaging menu, xdg-mime, etc",
-		"# This leaks the names of snaps with desktop files",
-		fmt.Sprintf("%s/ r,", baseDir),
-	}
+# Allow rules:
+%s
+
+# Deny rules:
+%s
+`
 
 	// Generate allow rules
-	rules = append(rules,
-		"# Allowing reading only our desktop files (required by (at least) the unity",
-		"# messaging menu).",
-		"# parallel-installs: this leaks read access to desktop files owned by keyed",
-		"# instances of @{SNAP_NAME} to @{SNAP_NAME} snap",
-		fmt.Sprintf("%s/@{SNAP_INSTANCE_DESKTOP}_*.desktop r,", dirs.SnapDesktopFilesDir),
-	)
+	allowRules := `
+# Allowing reading only our desktop files (required by (at least) the unity
+# messaging menu).
+# parallel-installs: this leaks read access to desktop files owned by keyed
+# instances of @{SNAP_NAME} to @{SNAP_NAME} snap
+`
+	allowRules += fmt.Sprintf("%s/@{SNAP_INSTANCE_DESKTOP}_*.desktop r,\n", dirs.SnapDesktopFilesDir)
 	// For allow rules let's be more defensive and not depend on desktop files
 	// shipped by the snap like what is done below in the deny rules so that if
 	// a snap figured out a way to trick the checks below it can only shoot
 	// itself in the foot and deny more stuff.
 	// Although, given the extensive use of ValidateNoAppArmorRegexp below this
-	// should never, but still it is better to play it safe with allow rules
+	// should never fail, but still it is better to play it safe with allow rules.
 	desktopFileIDs, err := s.DesktopPlugFileIDs()
 	if err != nil {
-		logger.Noticef("error: %v", err)
+		logger.Noticef("cannot list desktop plug file IDs: %v", err)
 		return getDesktopFileRulesFallback()
 	}
 	for _, desktopFileID := range desktopFileIDs {
 		// Validate IDs, This check should never be triggered because
 		// desktop-file-ids are already validated during install.
 		// But still it is better to play it safe and check AARE characters anyway.
 		if err := apparmor.ValidateNoAppArmorRegexp(desktopFileID); err != nil {
 // https://specifications.freedesktop.org/desktop-entry-spec/latest/file-naming.html 
 // Desktop file id must be a valid D-Bus name: 
 //   - A sequence of non-empty elements separated by dots 
 //   - None of which starts with a digit 
 //   - Each of which contains only characters from the set [A-Za-z0-9-_] 
 // 
 // XXX: dashes "-" are not recommended but supported, should they be removed? 
 // https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-names 
 var desktopFileIDRegexp = regexp.MustCompile(`^([A-Za-z_-][\w-]*)(\.[A-Za-z_-][\w-]*)*$`) 
 func (iface *desktopInterface) validateDesktopFileIDs(attribs interfaces.Attrer) error { 
 snap.BadInterfaces = make(map[string]string) 
 SanitizePlugsSlots(snap) 
 // https://specifications.freedesktop.org/desktop-entry-spec/latest/file-naming.html 
 // Desktop file id must be a valid D-Bus name: 
 //   - A sequence of non-empty elements separated by dots 
 //   - None of which starts with a digit 
 //   - Each of which contains only characters from the set [A-Za-z0-9-_] 
 // 
 // XXX: dashes "-" are not recommended but supported, should they be removed? 
 // https://dbus.freedesktop.org/doc/dbus-specification.html#message-protocol-names 
 var desktopFileIDRegexp = regexp.MustCompile(`^([A-Za-z_-][\w-]*)(\.[A-Za-z_-][\w-]*)*$`) 
  
 func (iface *desktopInterface) validateDesktopFileIDs(attribs interfaces.Attrer) error { 
 snap.BadInterfaces = make(map[string]string) 
 SanitizePlugsSlots(snap) 
-			logger.Noticef("error: %v", err)
+			logger.Noticef("internal error: invalid desktop file id %q found in snap %q which should have failed in BeforePreparePlug checks: %v", desktopFileID, s.InstanceName(), err)
 			return getDesktopFileRulesFallback()
 		}
-		rules = append(rules, fmt.Sprintf("%s/%s r,", baseDir, desktopFileID+".desktop"))
+		allowRules += fmt.Sprintf("%s/%s r,\n", dirs.SnapDesktopFilesDir, desktopFileID+".desktop")
 	}
 
 	// Generate deny rules to suppress apparmor warnings
-	desktopFiles, err := desktopFilesFromMount(s)
+	denyRules := "# Explicitly deny access to other snap's desktop files\n"
+	desktopFiles, err := desktopFilesFromInstalledSnap(s)
 	if err != nil {
-		logger.Noticef("error: %v", err)
+		logger.Noticef("failed to collect desktop files from snap %q: %v", s.InstanceName(), err)
 		return getDesktopFileRulesFallback()
 	}
 	if len(desktopFiles) == 0 {
 		// Nothing to do
 		return getDesktopFileRulesFallback()
 func getDesktopFileRules(snapInstanceName string) []string { 
 	baseDir := dirs.SnapDesktopFilesDir 
 	rules := []string{ 
 		"# Support applications which use the unity messaging menu, xdg-mime, etc", 
 		"# This leaks the names of snaps with desktop files", 
 		fmt.Sprintf("%s/ r,", baseDir), 
 		"# Allowing reading only our desktop files (required by (at least) the unity", 
 		"# messaging menu).", 
 		"# parallel-installs: this leaks read access to desktop files owned by keyed", 
 		"# instances of @{SNAP_NAME} to @{SNAP_NAME} snap", 
 		fmt.Sprintf("%s/@{SNAP_INSTANCE_DESKTOP}_*.desktop r,", baseDir), 
 		"# Explicitly deny access to other snap's desktop files", 
 		fmt.Sprintf("deny %s/@{SNAP_INSTANCE_DESKTOP}[^_.]*.desktop r,", baseDir), 
 	} 
 	for _, t := range aareExclusivePatterns(snapInstanceName) { 
 		rules = append(rules, fmt.Sprintf("deny %s/%s r,", baseDir, t)) 
 	} 
 	return rules 
 } 
 func getDesktopFileRules(snapInstanceName string) []string { 
 	baseDir := dirs.SnapDesktopFilesDir 
  
 	rules := []string{ 
 		"# Support applications which use the unity messaging menu, xdg-mime, etc", 
 		"# This leaks the names of snaps with desktop files", 
 		fmt.Sprintf("%s/ r,", baseDir), 
 		"# Allowing reading only our desktop files (required by (at least) the unity", 
 		"# messaging menu).", 
 		"# parallel-installs: this leaks read access to desktop files owned by keyed", 
 		"# instances of @{SNAP_NAME} to @{SNAP_NAME} snap", 
 		fmt.Sprintf("%s/@{SNAP_INSTANCE_DESKTOP}_*.desktop r,", baseDir), 
 		"# Explicitly deny access to other snap's desktop files", 
 		fmt.Sprintf("deny %s/@{SNAP_INSTANCE_DESKTOP}[^_.]*.desktop r,", baseDir), 
 	} 
 	for _, t := range aareExclusivePatterns(snapInstanceName) { 
 		rules = append(rules, fmt.Sprintf("deny %s/%s r,", baseDir, t)) 
 	} 
  
 	return rules 
 } 
 	}
 	excludeOpts := &apparmor.AAREExclusionPatternsOptions{
-		Prefix: fmt.Sprintf("deny %s", baseDir),
+		Prefix: fmt.Sprintf("deny %s", dirs.SnapDesktopFilesDir),
 		Suffix: ".desktop r,",
 	}
 	excludePatterns := make([]string, 0, len(desktopFiles))
@@ -168,20 +174,19 @@ func getDesktopFileRules(s *snap.Info) []string {
 		// - Desktop file ids are validated to only contain non-AARE characters
 		// But still it is better to play it safe and check AARE characters anyway.
 		if err := apparmor.ValidateNoAppArmorRegexp(desktopFile); err != nil {
-			logger.Noticef("error: %v", err)
+			logger.Noticef("internal error: invalid desktop file name %q found in snap %q which should have been validated earlier: %v", desktopFile, s.InstanceName(), err)
 			return getDesktopFileRulesFallback()
 		}
 		excludePatterns = append(excludePatterns, "/"+strings.TrimSuffix(filepath.Base(desktopFile), ".desktop"))
 	}
 	excludeRules, err := apparmorGenerateAAREExclusionPatterns(excludePatterns, excludeOpts)
 	if err != nil {
-		logger.Noticef("error: %v", err)
+		logger.Noticef("internal error: failed to generate deny rules for snap %q: %v", s.InstanceName(), err)
 		return getDesktopFileRulesFallback()
 	}
-	rules = append(rules, "# Explicitly deny access to other snap's desktop files")
-	rules = append(rules, excludeRules)
+	denyRules += excludeRules
 
-	return rules
+	return fmt.Sprintf(template, dirs.SnapDesktopFilesDir, allowRules[1:], denyRules)
 }
 
 // stringListAttribute returns a list of strings for the given attribute key if the attribute exists.

diff --git a/interfaces/builtin/utils_test.go b/interfaces/builtin/utils_test.go
@@ -33,6 +33,7 @@ import (
 	"github.com/snapcore/snapd/interfaces/apparmor"
 	"github.com/snapcore/snapd/interfaces/builtin"
 	"github.com/snapcore/snapd/interfaces/ifacetest"
+	"github.com/snapcore/snapd/logger"
 	apparmorutils "github.com/snapcore/snapd/sandbox/apparmor"
 	"github.com/snapcore/snapd/snap"
 	"github.com/snapcore/snapd/snap/snaptest"
@@ -305,7 +306,10 @@ func (s *desktopFileRulesBaseSuite) TestDesktopFileRulesNoDesktopFilesFallback(c
 }
 
 func (s *desktopFileRulesBaseSuite) TestDesktopFileRulesSnapMountErrorFallback(c *C) {
-	restore := builtin.MockDesktopFilesFromMount(func(s *snap.Info) ([]string, error) {
+	logbuf, restore := logger.MockLogger()
+	defer restore()
+
+	restore = builtin.MockDesktopFilesFromInstalledSnap(func(s *snap.Info) ([]string, error) {
 		return nil, errors.New("boom")
 	})
 	defer restore()
@@ -318,10 +322,15 @@ func (s *desktopFileRulesBaseSuite) TestDesktopFileRulesSnapMountErrorFallback(c
 		expectedRules:  s.fallbackRules,
 	}
 	s.testDesktopFileRules(c, opts)
+
+	c.Check(logbuf.String(), testutil.Contains, `failed to collect desktop files from snap "some-snap": boom`)
 }
 
 func (s *desktopFileRulesBaseSuite) TestDesktopFileRulesAAREExclusionPatternsErrorFallback(c *C) {
-	restore := builtin.MockApparmorGenerateAAREExclusionPatterns(func(excludePatterns []string, opts *apparmorutils.AAREExclusionPatternsOptions) (string, error) {
+	logbuf, restore := logger.MockLogger()
+	defer restore()
+
+	restore = builtin.MockApparmorGenerateAAREExclusionPatterns(func(excludePatterns []string, opts *apparmorutils.AAREExclusionPatternsOptions) (string, error) {
 		return "", errors.New("boom")
 	})
 	defer restore()
@@ -334,6 +343,8 @@ func (s *desktopFileRulesBaseSuite) TestDesktopFileRulesAAREExclusionPatternsErr
 		expectedRules:  s.fallbackRules,
 	}
 	s.testDesktopFileRules(c, opts)
+
+	c.Check(logbuf.String(), testutil.Contains, `internal error: failed to generate deny rules for snap "some-snap": boom`)
 }
 
 func (s *desktopFileRulesBaseSuite) TestDesktopFileRulesCommonSnapNameAndDesktopFileID(c *C) {
@@ -379,9 +390,12 @@ func (s *desktopFileRulesBaseSuite) TestDesktopFileRulesSanitizedDesktopFileName
 }
 
 func (s *desktopFileRulesBaseSuite) TestDesktopFileRulesBadDesktopFileName(c *C) {
+	logbuf, restore := logger.MockLogger()
+	defer restore()
+
 	// Stress the case where a snap file name skipped sanitization somehow
 	// This should never happen because snap.MangleDesktopFileName is called
-	restore := builtin.MockDesktopFilesFromMount(func(s *snap.Info) ([]string, error) {
+	restore = builtin.MockDesktopFilesFromInstalledSnap(func(s *snap.Info) ([]string, error) {
 		return []string{"foo**?$.desktop"}, nil
 	})
 	defer restore()
@@ -393,12 +407,17 @@ func (s *desktopFileRulesBaseSuite) TestDesktopFileRulesBadDesktopFileName(c *C)
 		expectedRules: s.fallbackRules,
 	}
 	s.testDesktopFileRules(c, opts)
+
+	c.Check(logbuf.String(), testutil.Contains, `internal error: invalid desktop file name "foo**?$.desktop" found in snap "some-snap" which should have been validated earlier: "foo**?$.desktop" contains a reserved apparmor char`)
 }
 
 func (s *desktopFileRulesBaseSuite) TestDesktopFileRulesBadDesktopFileIDs(c *C) {
+	logbuf, restore := logger.MockLogger()
+	defer restore()
+
 	// Stress the case where a desktop file ids attribute skipped validation during
 	// installation somehow
-	restore := builtin.MockDesktopFilesFromMount(func(s *snap.Info) ([]string, error) {
+	restore = builtin.MockDesktopFilesFromInstalledSnap(func(s *snap.Info) ([]string, error) {
 		return []string{"org.*.example.desktop"}, nil
 	})
 	defer restore()
@@ -410,4 +429,6 @@ func (s *desktopFileRulesBaseSuite) TestDesktopFileRulesBadDesktopFileIDs(c *C)
 		expectedRules:  s.fallbackRules,
 	}
 	s.testDesktopFileRules(c, opts)
+
+	c.Check(logbuf.String(), testutil.Contains, `internal error: invalid desktop file id "org.*.example" found in snap "some-snap" which should have failed in BeforePreparePlug checks: "org.*.example" contains a reserved apparmor char`)
 }
diff --git a/snap/info.go b/snap/info.go
@@ -996,6 +996,21 @@ func (s *Info) DesktopPlugFileIDs() ([]string, error) {
 	return desktopFileIDs, nil
 }
 
+func sanitizeDesktopFileName(base string) string {
+	var b strings.Builder
+	b.Grow(len(base))
+
+	for _, c := range base {
+		if (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9') || c == '_' || c == '-' || c == '.' {
+			b.WriteRune(c)
+		} else {
+			b.WriteRune('_')
+		}
+	}
+
+	return b.String()
+}
+
 // MangleDesktopFileName returns the sanitized file name prefixed with Info.DesktopPrefix().
 // If the passed name (without the .desktop extension) is listed under the desktop-file-ids
 // desktop interface plug attribute then the desktop file name is returned as is without
@@ -1024,26 +1039,18 @@ func (s *Info) MangleDesktopFileName(desktopFile string) (string, error) {
 
 	// Sanitization logic shouldn't worry about being backware compatible because the
 	// desktop files are always written when snapd starts in ensureDesktopFilesUpdated.
-	sanitizedBase := ""
-	for _, c := range base {
-		if (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9') || c == '_' || c == '-' || c == '.' {
-			sanitizedBase += string(c)
-			continue
-		}
-		// Replace with '_'
-		sanitizedBase += "_"
-	}
+	sanitizedBase := sanitizeDesktopFileName(base)
 
 	return filepath.Join(dir, fmt.Sprintf("%s_%s", s.DesktopPrefix(), sanitizedBase)), nil
 }
 
-type DesktopFilesFromMountOptions struct {
+type DesktopFilesFromInstalledSnapOptions struct {
 	// Mangles found desktop files using Info.MangleDesktopFileName()
 	MangleFileNames bool
 }
 
-// DesktopFilesFromMount returns the desktop files found under <snap-mount>/meta/gui.
-func (s *Info) DesktopFilesFromMount(opts DesktopFilesFromMountOptions) ([]string, error) {
+// DesktopFilesFromInstalledSnap returns the desktop files found under <snap-mount>/meta/gui.
+func (s *Info) DesktopFilesFromInstalledSnap(opts DesktopFilesFromInstalledSnapOptions) ([]string, error) {
 	rootDir := filepath.Join(s.MountDir(), "meta", "gui")
 	if !osutil.IsDirectory(rootDir) {
 		return nil, nil

diff --git a/snap/info_test.go b/snap/info_test.go
@@ -2651,7 +2651,7 @@ plugs:
 	c.Assert(err, NotNil)
 }
 
-func (s *infoSuite) TestDesktopFilesFromMountNoFiles(c *C) {
+func (s *infoSuite) TestDesktopFilesFromInstalledSnapNoFiles(c *C) {
 	const desktopAppYaml = `
 name: foo
 version: 1.0
@@ -2660,12 +2660,12 @@ version: 1.0
 	info, err := snap.InfoFromSnapYaml([]byte(desktopAppYaml))
 	c.Assert(err, IsNil)
 
-	desktopFiles, err := info.DesktopFilesFromMount(snap.DesktopFilesFromMountOptions{})
+	desktopFiles, err := info.DesktopFilesFromInstalledSnap(snap.DesktopFilesFromInstalledSnapOptions{})
 	c.Assert(err, IsNil)
 	c.Assert(desktopFiles, IsNil)
 }
 
-func (s *infoSuite) testDesktopFilesFromMount(c *C, mangle bool) {
+func (s *infoSuite) testDesktopFilesFromInstalledSnap(c *C, mangle bool) {
 	const desktopAppYaml = `
 name: foo
 version: 1.0
@@ -2687,8 +2687,8 @@ plugs:
 		c.Assert(err, IsNil)
 	}
 
-	opts := snap.DesktopFilesFromMountOptions{MangleFileNames: mangle}
-	desktopFilesFound, err := info.DesktopFilesFromMount(opts)
+	opts := snap.DesktopFilesFromInstalledSnapOptions{MangleFileNames: mangle}
+	desktopFilesFound, err := info.DesktopFilesFromInstalledSnap(opts)
 	c.Assert(err, IsNil)
 	c.Assert(desktopFilesFound, HasLen, len(testDesktopFiles))
 
@@ -2711,12 +2711,12 @@ plugs:
 	}
 }
 
-func (s *infoSuite) TestDesktopFilesFromMount(c *C) {
+func (s *infoSuite) TestDesktopFilesFromInstalledSnap(c *C) {
 	const mangle = false
-	s.testDesktopFilesFromMount(c, mangle)
+	s.testDesktopFilesFromInstalledSnap(c, mangle)
 }
 
-func (s *infoSuite) TestDesktopFilesFromMountMangled(c *C) {
+func (s *infoSuite) TestDesktopFilesFromInstalledSnapMangled(c *C) {
 	const mangle = true
-	s.testDesktopFilesFromMount(c, mangle)
+	s.testDesktopFilesFromInstalledSnap(c, mangle)
 }
diff --git a/wrappers/desktop.go b/wrappers/desktop.go
@@ -248,7 +248,7 @@ func findDesktopFiles(rootDir string) ([]string, error) {
 }
 
 func deriveDesktopFilesContent(s *snap.Info) (map[string]osutil.FileState, error) {
-	desktopFiles, err := s.DesktopFilesFromMount(snap.DesktopFilesFromMountOptions{})
+	desktopFiles, err := s.DesktopFilesFromInstalledSnap(snap.DesktopFilesFromInstalledSnapOptions{})
 	if err != nil {
 		return nil, err
 	}
@@ -261,7 +261,8 @@ func deriveDesktopFilesContent(s *snap.Info) (map[string]osutil.FileState, error
 			return nil, err
 		}
 		if _, exists := content[base]; exists {
-			return nil, fmt.Errorf("duplicate desktop file name after mangling")
+			logger.Noticef("skipping %q as a duplicate file name %q was found after mangling", filepath.Base(df), base)
+			continue
 		}
 		fileContent, err := os.ReadFile(df)
 		if err != nil {