Use the interface name instead of the plug name

interfaces/builtin/utils.go

@@ -113,12 +113,18 @@ func aareExclusivePatterns(orig string) []string {
 // in the dir, causing excessive noise. (LP: #1868051)
 func getDesktopFileRules(snapInstanceName string, spec *apparmor.Specification) []string {
 	// desktop-launch allows to read all .desktop files; but "deny" rules overrule any "allow"
-	// rule, so we must not add these rules if this snap uses the desktop-launch interface
+	// rule, so we must not add these rules if this snap uses the desktop-launch interface.
+	// Also, for security reasons, all these rules are removed if the desktop-launch interface
+	// is listed, thus only if it is really connected will the snap have any kind of access to
+	// these folders/files.
 	if spec != nil {
-		if _, ok := spec.SnapAppSet().Info().Plugs["desktop-launch"]; ok {
-			return nil
+		for _, plug := range spec.SnapAppSet().Info().Plugs {
+			if plug.Interface == "desktop-launch" {
+				return nil
+			}
 		}
 	}
+
 	baseDir := dirs.SnapDesktopFilesDir
 
 	rules := []string{

interfaces/builtin/utils_test.go

@@ -209,11 +209,15 @@ func (s *utilsSuite) TestGetDesktopFileRulesWithDesktopLaunchPlug(c *C) {
 	// fake apparmor.Specification
 	info := snap.Info{}
 	snapSet := interfaces.NewSnapAppSet(&info)
+	// although usually the name is equal to the interface, this is not
+	// guaranteed, so to test it right we must try with a name that is
+	// different than the interface.
 	plugInfo := snap.PlugInfo{
-		Name: "desktop-launch",
+		Name:      "desktop-launch-iface",
+		Interface: "desktop-launch",
 	}
 	snapSet.Info().Plugs = make(map[string]*snap.PlugInfo)
-	snapSet.Info().Plugs["desktop-launch"] = &plugInfo
+	snapSet.Info().Plugs["desktop-launch-iface"] = &plugInfo
 	spec := apparmor.NewSpecification(snapSet)
 
 	res := builtin.GetDesktopFileRules("foo-bar", spec)