diff --git a/cmd/snap-update-ns/change.go b/cmd/snap-update-ns/change.go
index f8777871c58..e1a334ffd7f 100644
--- a/cmd/snap-update-ns/change.go
+++ b/cmd/snap-update-ns/change.go
@@ -65,6 +65,10 @@ type Change struct {
 	Action Action
 }
 
+func (c *Change) GoString() string {
+	return fmt.Sprintf("%#+v", *c)
+}
+
 // String formats mount change to a human-readable line.
 func (c Change) String() string {
 	return fmt.Sprintf("%s (%s)", c.Action, c.Entry)
diff --git a/cmd/snap-update-ns/change_tricky_test.go b/cmd/snap-update-ns/change_tricky_test.go
new file mode 100644
index 00000000000..c6b791da82d
--- /dev/null
+++ b/cmd/snap-update-ns/change_tricky_test.go
@@ -0,0 +1,246 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2024 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package main_test
+
+import (
+	. "gopkg.in/check.v1"
+
+	update "github.com/snapcore/snapd/cmd/snap-update-ns"
+	"github.com/snapcore/snapd/osutil"
+)
+
+func (s *changeSuite) TestContentLayout1InitiallyConnected(c *C) {
+	// NOTE: This doesn't measure what is going on during construction. It
+	// merely measures what is constructed is stable and that it does not cause
+	// further changes to be created.
+	current, err := osutil.LoadMountProfile("testdata/content-layout-1-initially-connected.current.fstab")
+	c.Assert(err, IsNil)
+	desired, err := osutil.LoadMountProfile("testdata/content-layout-1-initially-connected.desired.fstab")
+	c.Assert(err, IsNil)
+	changes := update.NeededChanges(current, desired)
+	showCurrentDesiredAndChanges(c, current, desired, changes)
+
+	// The change plan is to do nothing.
+	// Note that the order of entries is back to front.
+	//
+	// At this time, the mount namespace is correct:
+	// zyga@wyzima:/run/snapd/ns$ sudo nsenter -mtest-snapd-content-layout.mnt
+	// root@wyzima:/# ls -l /usr/share/secureboot/potato
+	// total 1
+	// -rw-rw-r-- 1 root root 22 Aug 30 09:36 canary.txt
+	// drwxrwxr-x 2 root root 32 Aug 30 09:36 meta
+	// root@wyzima:/# ls -l /snap/test-snapd-content-layout/
+	// current/ x1/      x2/
+	// root@wyzima:/# ls -l /snap/test-snapd-content-layout/x2/attached-content/
+	// total 1
+	// -rw-rw-r-- 1 root root 22 Aug 30 09:36 canary.txt
+	// drwxrwxr-x 2 root root 32 Aug 30 09:36 meta
+	c.Assert(changes, DeepEquals, []*update.Change{
+		{Action: "keep", Entry: current.Entries[4]},
+		{Action: "keep", Entry: current.Entries[3]},
+		{Action: "keep", Entry: current.Entries[2]},
+		{Action: "keep", Entry: current.Entries[1]},
+		{Action: "keep", Entry: current.Entries[0]},
+	})
+}
+
+func (s *changeSuite) TestContentLayout2InitiallyConnectedThenDisconnected(c *C) {
+	current, err := osutil.LoadMountProfile("testdata/content-layout-1-initially-connected.current.fstab")
+	c.Assert(err, IsNil)
+	desired, err := osutil.LoadMountProfile("testdata/content-layout-2-after-disconnect.desired.fstab")
+	c.Assert(err, IsNil)
+	changes := update.NeededChanges(current, desired)
+	showCurrentDesiredAndChanges(c, current, desired, changes)
+
+	// The change plan is to do detach the content entry.
+	//
+	// Detached entries are first isolated from mount propagation. So the bug
+	// here is that the mount entry propagated to the layout during initial
+	// construction sticks around and is not updated. This is a bug.
+	// This is tracked as https://warthogs.atlassian.net/browse/SNAPDENG-31645
+	//
+	// zyga@wyzima:/run/snapd/ns$ sudo nsenter -mtest-snapd-content-layout.mnt
+	// root@wyzima:/# ls -l /snap/test-snapd-content-layout/x2/attached-content/
+	// total 1
+	// -rw-rw-r-- 1 root root 46 Aug 30 09:36 hidden
+	// root@wyzima:/# ls -l /usr/share/secureboot/potato
+	// total 1
+	// -rw-rw-r-- 1 root root 22 Aug 30 09:36 canary.txt
+	// drwxrwxr-x 2 root root 32 Aug 30 09:36 meta
+	//
+	// Note that the order of entries is back to front. There is another bug
+	// here, although it is not visible from the change plan alone. The reverse
+	// order of mount entries listed here is actually stored as the new current
+	// mount profile. This is tracked as
+	// https://warthogs.atlassian.net/browse/SNAPDENG-31644
+	c.Assert(changes, DeepEquals, []*update.Change{
+		{Action: "keep", Entry: current.Entries[4]},
+		{Action: "keep", Entry: current.Entries[3]},
+		{Action: "keep", Entry: current.Entries[2]},
+		{Action: "unmount", Entry: withDetachOption(current.Entries[1])},
+		{Action: "keep", Entry: current.Entries[0]},
+	})
+
+	// The actual entry for clarity.
+	c.Assert(changes[3].Entry, DeepEquals, osutil.MountEntry{
+		Name:    "/snap/test-snapd-content/x1",
+		Dir:     "/snap/test-snapd-content-layout/x2/attached-content",
+		Type:    "none",
+		Options: []string{"bind", "ro", "x-snapd.detach"},
+	})
+}
+
+func (s *changeSuite) TestContentLayout3InitiallyConnectedThenDisconnectedAndReconnected(c *C) {
+	current, err := osutil.LoadMountProfile("testdata/content-layout-2-after-disconnect.current.fstab")
+	c.Assert(err, IsNil)
+	desired, err := osutil.LoadMountProfile("testdata/content-layout-3-after-reconnect.desired.fstab")
+	c.Assert(err, IsNil)
+	changes := update.NeededChanges(current, desired)
+	showCurrentDesiredAndChanges(c, current, desired, changes)
+
+	// In theory we should get back to the initial state but the reality is
+	// much more complicated. The change looks good on paper but the
+	// propagation that is not taken into account makes the actual mount
+	// namespace incorrect. The content connection is new and correct but the layout
+	// is still the same and was not propagated.
+	//
+	// zyga@wyzima:/run/snapd/ns$ sudo nsenter -mtest-snapd-content-layout.mnt
+	// root@wyzima:/# ls -l /usr/share/secureboot/potato
+	// total 1
+	// -rw-rw-r-- 1 root root 22 Aug 30 09:36 canary.txt
+	// drwxrwxr-x 2 root root 32 Aug 30 09:36 meta
+	// root@wyzima:/# ls -l /snap/test-snapd-content-layout/x2/attached-content/
+	// total 1
+	// -rw-rw-r-- 1 root root 22 Aug 30 09:36 canary.txt
+	// drwxrwxr-x 2 root root 32 Aug 30 09:36 meta
+	//
+	// Yes, but:
+	//
+	// root@wyzima:/# cat /proc/self/mountinfo  | grep attached
+	// 212 945 7:12 / /snap/test-snapd-content-layout/x2/attached-content ro,relatime master:34 - squashfs /dev/loop12 ro,errors=continue,threads=single
+	//
+	// root@wyzima:/# cat /proc/self/mountinfo  | grep potato
+	// 572 598 7:12 / /usr/share/secureboot/potato ro,relatime master:34 - squashfs /dev/loop12 ro,errors=continue,threads=single
+	c.Assert(changes, DeepEquals, []*update.Change{
+		{Action: "keep", Entry: current.Entries[3]},
+		{Action: "keep", Entry: current.Entries[2]},
+		{Action: "keep", Entry: current.Entries[1]},
+		{Action: "keep", Entry: current.Entries[0]},
+		{Action: "mount", Entry: desired.Entries[1]},
+	})
+
+	// The actual entry for clarity.
+	c.Assert(changes[4].Entry, DeepEquals, osutil.MountEntry{
+		Name:    "/snap/test-snapd-content/x1",
+		Dir:     "/snap/test-snapd-content-layout/x2/attached-content",
+		Type:    "none",
+		Options: []string{"bind", "ro"},
+	})
+}
+
+func (s *changeSuite) TestContentLayout4InitiallyDisconnectedThenConnected(c *C) {
+	current, err := osutil.LoadMountProfile("testdata/content-layout-4-initially-disconnected-then-connected.before.current.fstab")
+	c.Assert(err, IsNil)
+	desired, err := osutil.LoadMountProfile("testdata/content-layout-4-initially-disconnected-then-connected.desired.fstab")
+	c.Assert(err, IsNil)
+	changes := update.NeededChanges(current, desired)
+	showCurrentDesiredAndChanges(c, current, desired, changes)
+
+	c.Assert(changes, DeepEquals, []*update.Change{
+		{Action: "keep", Entry: current.Entries[3]},
+		{Action: "keep", Entry: current.Entries[2]},
+		{Action: "keep", Entry: current.Entries[1]},
+		{Action: "keep", Entry: current.Entries[0]},
+		{Action: "mount", Entry: desired.Entries[1]},
+	})
+
+	// The actual entry for clarity.
+	c.Assert(changes[4].Entry, DeepEquals, osutil.MountEntry{
+		Name:    "/snap/test-snapd-content/x1",
+		Dir:     "/snap/test-snapd-content-layout/x2/attached-content",
+		Type:    "none",
+		Options: []string{"bind", "ro"},
+	})
+}
+
+func (s *changeSuite) TestContentLayout5InitiallyConnectedThenContentRefreshed(c *C) {
+	current, err := osutil.LoadMountProfile("testdata/content-layout-5-initially-connected-then-content-refreshed.before.current.fstab")
+	c.Assert(err, IsNil)
+	desired, err := osutil.LoadMountProfile("testdata/content-layout-5-initially-connected-then-content-refreshed.desired.fstab")
+	c.Assert(err, IsNil)
+	changes := update.NeededChanges(current, desired)
+	showCurrentDesiredAndChanges(c, current, desired, changes)
+
+	// This test shows similar behavior to -2- test - the layout stays propagated.
+	c.Assert(changes, DeepEquals, []*update.Change{
+		{Action: "keep", Entry: current.Entries[4]},
+		{Action: "keep", Entry: current.Entries[3]},
+		{Action: "keep", Entry: current.Entries[2]},
+		{Action: "unmount", Entry: withDetachOption(current.Entries[1])},
+		{Action: "keep", Entry: current.Entries[0]},
+		{Action: "mount", Entry: desired.Entries[1]},
+	})
+}
+
+func (s *changeSuite) TestContentLayout6InitiallyConnectedThenAppRefreshed(c *C) {
+	current, err := osutil.LoadMountProfile("testdata/content-layout-6-initially-connected-then-app-refreshed.before.current.fstab")
+	c.Assert(err, IsNil)
+	desired, err := osutil.LoadMountProfile("testdata/content-layout-6-initially-connected-then-app-refreshed.desired.fstab")
+	c.Assert(err, IsNil)
+	changes := update.NeededChanges(current, desired)
+	showCurrentDesiredAndChanges(c, current, desired, changes)
+
+	// In this case, because the attached content is mounted to $SNAP (and not $SNAP_COMMON), the path changes
+	// and both the layout and content are re-made.
+	c.Assert(changes, DeepEquals, []*update.Change{
+		{Action: "unmount", Entry: withDetachOption(current.Entries[4])},
+		{Action: "keep", Entry: current.Entries[3]},
+		{Action: "keep", Entry: current.Entries[2]},
+		{Action: "unmount", Entry: withDetachOption(current.Entries[1])},
+		{Action: "keep", Entry: current.Entries[0]},
+		// It is interesting to note that we first mount the content to $SNAP/attached-content
+		// and only then construct the layout from $SNAP/attached-content to /usr/share/secureboot/potato.
+		// This is correct but the ordering is fraigle.
+		{Action: "mount", Entry: desired.Entries[1]},
+		{Action: "mount", Entry: desired.Entries[0]},
+	})
+}
+
+// withDetachOption returns a copy of the given mount entry with the x-snapd.detach option.
+func withDetachOption(e osutil.MountEntry) osutil.MountEntry {
+	e.Options = append([]string{}, e.Options...)
+	e.Options = append(e.Options, "x-snapd.detach")
+	return e
+}
+
+func showCurrentDesiredAndChanges(c *C, current, desired *osutil.MountProfile, changes []*update.Change) {
+	c.Logf("Number of current entires: %d", len(current.Entries))
+	for _, entry := range current.Entries {
+		c.Logf("- current : %v", entry)
+	}
+	c.Logf("Number of desired entires: %d", len(desired.Entries))
+	for _, entry := range desired.Entries {
+		c.Logf("- desired: %v", entry)
+	}
+	c.Logf("Number of changes: %d", len(changes))
+	for _, change := range changes {
+		c.Logf("- change: %v", change)
+	}
+}
diff --git a/cmd/snap-update-ns/testdata/Makefile b/cmd/snap-update-ns/testdata/Makefile
new file mode 100644
index 00000000000..277360d68b5
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/Makefile
@@ -0,0 +1,127 @@
+# This makefiles uses grouped-target feature and relies on it for correctness.
+ifeq (,$(findstring grouped-target,$(.FEATURES)))
+$(error You need make with the grouped-taget feature to build this dataset)
+endif
+
+fstab_files = content-layout-1-initially-connected.current.fstab \
+			  content-layout-1-initially-connected.desired.fstab \
+			  content-layout-2-after-disconnect.desired.fstab \
+			  content-layout-2-after-disconnect.current.fstab \
+			  content-layout-3-after-reconnect.desired.fstab \
+			  content-layout-3-after-reconnect.current.fstab \
+			  content-layout-4-initially-disconnected-then-connected.before.current.fstab \
+			  content-layout-4-initially-disconnected-then-connected.desired.fstab \
+			  content-layout-4-initially-disconnected-then-connected.current.fstab \
+			  content-layout-5-initially-connected-then-content-refreshed.before.current.fstab \
+			  content-layout-5-initially-connected-then-content-refreshed.desired.fstab \
+			  content-layout-5-initially-connected-then-content-refreshed.current.fstab \
+			  content-layout-6-initially-connected-then-app-refreshed.before.current.fstab \
+			  content-layout-6-initially-connected-then-app-refreshed.desired.fstab \
+			  content-layout-6-initially-connected-then-app-refreshed.current.fstab
+
+# None of the fstab files can be built in parallel as the depend on global system state.
+.NOTPARALLEL: $(fstab_files)
+.PHONY: all
+all: $(fstab_files)
+
+content-layout-1-initially-connected.desired.fstab content-layout-1-initially-connected.current.fstab &: test-snapd-content-layout_a_all.snap test-snapd-content_a_all.snap
+	sudo snap remove --purge test-snapd-content-layout
+	sudo snap remove --purge test-snapd-content
+	sudo snap install --dangerous $(word 1,$^)
+	sudo snap install --dangerous $(word 1,$^) # Reinstall to get another revision for better clarity of the data.
+	sudo snap install --dangerous $(word 2,$^)
+	sudo snap connect test-snapd-content-layout:just-content test-snapd-content:just-content
+	snap run test-snapd-content-layout.sh -c true
+	cp /var/lib/snapd/mount/snap.test-snapd-content-layout.fstab content-layout-1-initially-connected.desired.fstab
+	cp /run/snapd/ns/snap.test-snapd-content-layout.fstab content-layout-1-initially-connected.current.fstab
+	sudo snap remove --purge test-snapd-content-layout
+	sudo snap remove --purge test-snapd-content
+	patch <annotations-1.patch
+
+content-layout-2-after-disconnect.desired.fstab content-layout-2-after-disconnect.current.fstab &: test-snapd-content-layout_a_all.snap test-snapd-content_a_all.snap
+	sudo snap remove --purge test-snapd-content-layout
+	sudo snap remove --purge test-snapd-content
+	sudo snap install --dangerous $(word 1,$^)
+	sudo snap install --dangerous $(word 1,$^) # Reinstall to get another revision for better clarity of the data.
+	sudo snap install --dangerous $(word 2,$^)
+	sudo snap connect test-snapd-content-layout:just-content test-snapd-content:just-content
+	snap run test-snapd-content-layout.sh -c true
+	sudo snap disconnect test-snapd-content-layout:just-content test-snapd-content:just-content
+	cp /var/lib/snapd/mount/snap.test-snapd-content-layout.fstab content-layout-2-after-disconnect.desired.fstab
+	cp /run/snapd/ns/snap.test-snapd-content-layout.fstab content-layout-2-after-disconnect.current.fstab
+	sudo snap remove --purge test-snapd-content-layout
+	sudo snap remove --purge test-snapd-content
+	patch <annotations-2.patch
+
+content-layout-3-after-reconnect.desired.fstab content-layout-3-after-reconnect.current.fstab &: test-snapd-content-layout_a_all.snap test-snapd-content_a_all.snap
+	sudo snap remove --purge test-snapd-content-layout
+	sudo snap remove --purge test-snapd-content
+	sudo snap install --dangerous $(word 1,$^)
+	sudo snap install --dangerous $(word 1,$^) # Reinstall to get another revision for better clarity of the data.
+	sudo snap install --dangerous $(word 2,$^)
+	sudo snap connect test-snapd-content-layout:just-content test-snapd-content:just-content
+	snap run test-snapd-content-layout.sh -c true
+	sudo snap disconnect test-snapd-content-layout:just-content test-snapd-content:just-content
+	sudo snap connect test-snapd-content-layout:just-content test-snapd-content:just-content
+	cp /var/lib/snapd/mount/snap.test-snapd-content-layout.fstab content-layout-3-after-reconnect.desired.fstab
+	cp /run/snapd/ns/snap.test-snapd-content-layout.fstab content-layout-3-after-reconnect.current.fstab
+	sudo snap remove --purge test-snapd-content-layout
+	sudo snap remove --purge test-snapd-content
+	patch <annotations-3.patch
+
+content-layout-4-initially-disconnected-then-connected.before.current.fstab content-layout-4-initially-disconnected-then-connected.desired.fstab content-layout-4-initially-disconnected-then-connected.current.fstab &: test-snapd-content-layout_a_all.snap test-snapd-content_a_all.snap
+	sudo snap remove --purge test-snapd-content-layout
+	sudo snap remove --purge test-snapd-content
+	sudo snap install --dangerous $(word 1,$^)
+	sudo snap install --dangerous $(word 1,$^) # Reinstall to get another revision for better clarity of the data.
+	sudo snap install --dangerous $(word 2,$^)
+	snap connections test-snapd-content-layout | grep -xF 'content    test-snapd-content-layout:just-content  -     -'
+	snap run test-snapd-content-layout.sh -c true
+	# This file is used by unit tests model the changes needed after the refresh below.
+	cp /run/snapd/ns/snap.test-snapd-content-layout.fstab content-layout-4-initially-disconnected-then-connected.before.current.fstab
+	sudo snap connect test-snapd-content-layout:just-content test-snapd-content:just-content
+	cp /var/lib/snapd/mount/snap.test-snapd-content-layout.fstab content-layout-4-initially-disconnected-then-connected.desired.fstab
+	cp /run/snapd/ns/snap.test-snapd-content-layout.fstab content-layout-4-initially-disconnected-then-connected.current.fstab
+	sudo snap remove --purge test-snapd-content-layout
+	sudo snap remove --purge test-snapd-content
+	patch <annotations-4.patch
+
+content-layout-5-initially-connected-then-content-refreshed.before.current.fstab content-layout-5-initially-connected-then-content-refreshed.desired.fstab content-layout-5-initially-connected-then-content-refreshed.current.fstab &: test-snapd-content-layout_a_all.snap test-snapd-content_a_all.snap
+	sudo snap remove --purge test-snapd-content-layout
+	sudo snap remove --purge test-snapd-content
+	sudo snap install --dangerous $(word 1,$^)
+	sudo snap install --dangerous $(word 1,$^) # Reinstall to get another revision for better clarity of the data.
+	sudo snap install --dangerous $(word 2,$^)
+	sudo snap connect test-snapd-content-layout:just-content test-snapd-content:just-content
+	snap run test-snapd-content-layout.sh -c true
+	# This file is used by unit tests model the changes needed after the refresh below.
+	cp /run/snapd/ns/snap.test-snapd-content-layout.fstab content-layout-5-initially-connected-then-content-refreshed.before.current.fstab
+	sudo snap install --dangerous $(word 2,$^) # Refresh the content.
+	cp /var/lib/snapd/mount/snap.test-snapd-content-layout.fstab content-layout-5-initially-connected-then-content-refreshed.desired.fstab
+	cp /run/snapd/ns/snap.test-snapd-content-layout.fstab content-layout-5-initially-connected-then-content-refreshed.current.fstab
+	sudo snap remove --purge test-snapd-content-layout
+	sudo snap remove --purge test-snapd-content
+	patch <annotations-5.patch
+
+content-layout-6-initially-connected-then-app-refreshed.before.current.fstab content-layout-6-initially-connected-then-app-refreshed.desired.fstab content-layout-6-initially-connected-then-app-refreshed.current.fstab &: test-snapd-content-layout_a_all.snap test-snapd-content_a_all.snap
+	sudo snap remove --purge test-snapd-content-layout
+	sudo snap remove --purge test-snapd-content
+	sudo snap install --dangerous $(word 1,$^)
+	sudo snap install --dangerous $(word 1,$^) # Reinstall to get another revision for better clarity of the data.
+	sudo snap install --dangerous $(word 2,$^)
+	sudo snap connect test-snapd-content-layout:just-content test-snapd-content:just-content
+	snap run test-snapd-content-layout.sh -c true
+	# This file is used by unit tests model the changes needed after the refresh below.
+	cp /run/snapd/ns/snap.test-snapd-content-layout.fstab content-layout-6-initially-connected-then-app-refreshed.before.current.fstab
+	sudo snap install --dangerous $(word 1,$^) # Refresh the app.
+	cp /var/lib/snapd/mount/snap.test-snapd-content-layout.fstab content-layout-6-initially-connected-then-app-refreshed.desired.fstab
+	cp /run/snapd/ns/snap.test-snapd-content-layout.fstab content-layout-6-initially-connected-then-app-refreshed.current.fstab
+	sudo snap remove --purge test-snapd-content-layout
+	sudo snap remove --purge test-snapd-content
+	patch <annotations-6.patch
+
+test-snapd-content-layout_a_all.snap: test-snapd-content-layout
+	snap pack $<
+
+test-snapd-content_a_all.snap: test-snapd-content
+	snap pack $<
diff --git a/cmd/snap-update-ns/testdata/annotations-1.patch b/cmd/snap-update-ns/testdata/annotations-1.patch
new file mode 100644
index 00000000000..28e143aa528
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/annotations-1.patch
@@ -0,0 +1,42 @@
+diff --git b/cmd/snap-update-ns/testdata/content-layout-1-initially-connected.current.fstab a/cmd/snap-update-ns/testdata/content-layout-1-initially-connected.current.fstab
+index 54fbe65b9b..412f98e827 100644
+--- b/cmd/snap-update-ns/testdata/content-layout-1-initially-connected.current.fstab
++++ a/cmd/snap-update-ns/testdata/content-layout-1-initially-connected.current.fstab
+@@ -1,5 +1,27 @@
++# This entry is injected by snap-confine. It represents the tmpfs
++# created at / during construction of the mount namespace, before
++# snap-update-ns is even invoked.
+ tmpfs / tmpfs x-snapd.origin=rootfs 0 0
++# This is the result of a content interface connection, all of
++# test-snapd-content at revision x1 is shared to test-snapd-content-layout at
++# revision x2, to directory $SNAP/attached-content.
+ /snap/test-snapd-content/x1 /snap/test-snapd-content-layout/x2/attached-content none bind,ro 0 0
++# This is a writable mimic created on /usr/share/secureboot, so that the
++# subdirectory "potato" can be created inside. There's nothing special about
++# the path. It was used as there are relatvely few elements that need to be
++# re-created inside, making the behavior of the algorithm easier to follow.
+ tmpfs /usr/share/secureboot tmpfs x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,mode=0755,uid=0,gid=0 0 0
++# This is the only existing sub-directory of /usr/share/secureboot being
++# re-created by the writable mimic. Note that the name and directory are a lie
++# (or simplification) as this entry exists so that we know it needs to be
++# unmounted. The real source is somewhat more complicated and cannot be
++# expressed with the limited syntax of fstab mount entries.
+ /usr/share/secureboot/updates /usr/share/secureboot/updates none rbind,x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,x-snapd.detach 0 0
++# This is the layout entry replicating the attached content. This is the root
++# of all evil, as the very popular behavior used by nearly all the snaps relies
++# on an implementation dertail that was never envisioned to work this way.
++#
++# Notice that it uses the attached-content directory as source, it has no idea
++# or relation to the connected content and is happy to replicate an empty
++# unconnected directory.
+ /snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
+diff --git b/cmd/snap-update-ns/testdata/content-layout-1-initially-connected.desired.fstab a/cmd/snap-update-ns/testdata/content-layout-1-initially-connected.desired.fstab
+index 7e92c4709a..6ffd2382a4 100644
+--- b/cmd/snap-update-ns/testdata/content-layout-1-initially-connected.desired.fstab
++++ a/cmd/snap-update-ns/testdata/content-layout-1-initially-connected.desired.fstab
+@@ -1,2 +1,5 @@
++# This is the layout entry. Snapd orders layouts before any content entries.
+ /snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
++# This is the content entry. Notice that it is after the layout but the user
++# expectation is that the content shows up through the layout entry.
+ /snap/test-snapd-content/x1 /snap/test-snapd-content-layout/x2/attached-content none bind,ro 0 0
diff --git a/cmd/snap-update-ns/testdata/annotations-2.patch b/cmd/snap-update-ns/testdata/annotations-2.patch
new file mode 100644
index 00000000000..396b67174b1
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/annotations-2.patch
@@ -0,0 +1,17 @@
+diff --git b/cmd/snap-update-ns/testdata/content-layout-2-after-disconnect.current.fstab a/cmd/snap-update-ns/testdata/content-layout-2-after-disconnect.current.fstab
+index e6a6f386ab..161f422d67 100644
+--- b/cmd/snap-update-ns/testdata/content-layout-2-after-disconnect.current.fstab
++++ a/cmd/snap-update-ns/testdata/content-layout-2-after-disconnect.current.fstab
+@@ -1,3 +1,4 @@
++# The order is no longer broken.
+ tmpfs / tmpfs x-snapd.origin=rootfs 0 0
+ tmpfs /usr/share/secureboot tmpfs x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,mode=0755,uid=0,gid=0 0 0
+ /usr/share/secureboot/updates /usr/share/secureboot/updates none rbind,x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,x-snapd.detach 0 0
+diff --git b/cmd/snap-update-ns/testdata/content-layout-2-after-disconnect.desired.fstab a/cmd/snap-update-ns/testdata/content-layout-2-after-disconnect.desired.fstab
+index 7df3de1c3b..0b004668dc 100644
+--- b/cmd/snap-update-ns/testdata/content-layout-2-after-disconnect.desired.fstab
++++ a/cmd/snap-update-ns/testdata/content-layout-2-after-disconnect.desired.fstab
+@@ -1 +1,3 @@
++# This is the layout entry. Snapd orders layouts before any content entries.
+ /snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
++# The content entry is now gone.
diff --git a/cmd/snap-update-ns/testdata/annotations-3.patch b/cmd/snap-update-ns/testdata/annotations-3.patch
new file mode 100644
index 00000000000..e3738d1ec59
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/annotations-3.patch
@@ -0,0 +1,24 @@
+diff --git b/cmd/snap-update-ns/testdata/content-layout-3-after-reconnect.current.fstab a/cmd/snap-update-ns/testdata/content-layout-3-after-reconnect.current.fstab
+index 619722d4a8..4e37544570 100644
+--- b/cmd/snap-update-ns/testdata/content-layout-3-after-reconnect.current.fstab
++++ a/cmd/snap-update-ns/testdata/content-layout-3-after-reconnect.current.fstab
+@@ -1,5 +1,11 @@
++# Note that the order is back to being correct because bug 
++# https://warthogs.atlassian.net/browse/SNAPDENG-31644 keeps flipping it back and forth!
+ tmpfs / tmpfs x-snapd.origin=rootfs 0 0
++# Unlike in the "initially connected" case. The mimic is ordered
++# differently from the content. Here we reuse the mimic so the content
++# is the last entry in the file.
+ tmpfs /usr/share/secureboot tmpfs x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,mode=0755,uid=0,gid=0 0 0
+ /usr/share/secureboot/updates /usr/share/secureboot/updates none rbind,x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,x-snapd.detach 0 0
+ /snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
++# The content is now here. The bind mount may or may not propagate though.
+ /snap/test-snapd-content/x1 /snap/test-snapd-content-layout/x2/attached-content none bind,ro 0 0
+diff --git b/cmd/snap-update-ns/testdata/content-layout-3-after-reconnect.desired.fstab a/cmd/snap-update-ns/testdata/content-layout-3-after-reconnect.desired.fstab
+index 7e92c4709a..5fea10444b 100644
+--- b/cmd/snap-update-ns/testdata/content-layout-3-after-reconnect.desired.fstab
++++ a/cmd/snap-update-ns/testdata/content-layout-3-after-reconnect.desired.fstab
+@@ -1,2 +1,3 @@
++# This is exactly the same as content-layout-initially-connected.desired.fstab.
+ /snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
+ /snap/test-snapd-content/x1 /snap/test-snapd-content-layout/x2/attached-content none bind,ro 0 0
diff --git a/cmd/snap-update-ns/testdata/annotations-4.patch b/cmd/snap-update-ns/testdata/annotations-4.patch
new file mode 100644
index 00000000000..370a68b91d3
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/annotations-4.patch
@@ -0,0 +1,17 @@
+diff --git b/cmd/snap-update-ns/testdata/content-layout-4-initially-disconnected-then-connected.current.fstab a/cmd/snap-update-ns/testdata/content-layout-4-initially-disconnected-then-connected.current.fstab
+index 619722d4a8..526d104f84 100644
+--- b/cmd/snap-update-ns/testdata/content-layout-4-initially-disconnected-then-connected.current.fstab
++++ a/cmd/snap-update-ns/testdata/content-layout-4-initially-disconnected-then-connected.current.fstab
+@@ -1,3 +1,4 @@
++# This file is now similar to -1- except that re-made content/layout entries are last.
+ tmpfs / tmpfs x-snapd.origin=rootfs 0 0
+ tmpfs /usr/share/secureboot tmpfs x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,mode=0755,uid=0,gid=0 0 0
+ /usr/share/secureboot/updates /usr/share/secureboot/updates none rbind,x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,x-snapd.detach 0 0
+diff --git b/cmd/snap-update-ns/testdata/content-layout-4-initially-disconnected-then-connected.desired.fstab a/cmd/snap-update-ns/testdata/content-layout-4-initially-disconnected-then-connected.desired.fstab
+index 7e92c4709a..4d0f5b97bd 100644
+--- b/cmd/snap-update-ns/testdata/content-layout-4-initially-disconnected-then-connected.desired.fstab
++++ a/cmd/snap-update-ns/testdata/content-layout-4-initially-disconnected-then-connected.desired.fstab
+@@ -1,2 +1,3 @@
++# This file is identical to content-layout-1-initially-connected.desired.fstab, except for revision numbers.
+ /snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
+ /snap/test-snapd-content/x1 /snap/test-snapd-content-layout/x2/attached-content none bind,ro 0 0
diff --git a/cmd/snap-update-ns/testdata/annotations-5.patch b/cmd/snap-update-ns/testdata/annotations-5.patch
new file mode 100644
index 00000000000..e282c7bbf78
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/annotations-5.patch
@@ -0,0 +1,21 @@
+diff --git b/cmd/snap-update-ns/testdata/content-layout-5-initially-connected-then-content-refreshed.current.fstab a/cmd/snap-update-ns/testdata/content-layout-5-initially-connected-then-content-refreshed.current.fstab
+index aadd564c33..d55e3f9269 100644
+--- b/cmd/snap-update-ns/testdata/content-layout-5-initially-connected-then-content-refreshed.current.fstab
++++ a/cmd/snap-update-ns/testdata/content-layout-5-initially-connected-then-content-refreshed.current.fstab
+@@ -1,3 +1,4 @@
++# This file is similar to -1-, except that attached content has different revision.
+ tmpfs / tmpfs x-snapd.origin=rootfs 0 0
+ tmpfs /usr/share/secureboot tmpfs x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,mode=0755,uid=0,gid=0 0 0
+ /usr/share/secureboot/updates /usr/share/secureboot/updates none rbind,x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,x-snapd.detach 0 0
+diff --git b/cmd/snap-update-ns/testdata/content-layout-5-initially-connected-then-content-refreshed.desired.fstab a/cmd/snap-update-ns/testdata/content-layout-5-initially-connected-then-content-refreshed.desired.fstab
+index 98d9c0ef53..2de313d056 100644
+--- b/cmd/snap-update-ns/testdata/content-layout-5-initially-connected-then-content-refreshed.desired.fstab
++++ a/cmd/snap-update-ns/testdata/content-layout-5-initially-connected-then-content-refreshed.desired.fstab
+@@ -1,2 +1,7 @@
++# This file is almost the same as content-layout-1-initially-connected.desired.fstab, which is good.
++# The only difference, and one that we expect, is the revision of the attached content snap.
++# The revision changes from x1 to x2 as the content is refreshed.
+ /snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
++# This is the content entry. Notice that it is after the layout but the user
++# expectation is that the content shows up through the layout entry.
+ /snap/test-snapd-content/x2 /snap/test-snapd-content-layout/x2/attached-content none bind,ro 0 0
diff --git a/cmd/snap-update-ns/testdata/annotations-6.patch b/cmd/snap-update-ns/testdata/annotations-6.patch
new file mode 100644
index 00000000000..771f87f6a9a
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/annotations-6.patch
@@ -0,0 +1,8 @@
+diff --git b/cmd/snap-update-ns/testdata/content-layout-6-initially-connected-then-app-refreshed.desired.fstab a/cmd/snap-update-ns/testdata/content-layout-6-initially-connected-then-app-refreshed.desired.fstab
+index b49b4096d7..f4d4734242 100644
+--- b/cmd/snap-update-ns/testdata/content-layout-6-initially-connected-then-app-refreshed.desired.fstab
++++ a/cmd/snap-update-ns/testdata/content-layout-6-initially-connected-then-app-refreshed.desired.fstab
+@@ -1,2 +1,3 @@
++# The desired file is the same as -1-, apart from revision numbers, and correct.
+ /snap/test-snapd-content-layout/x3/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
+ /snap/test-snapd-content/x1 /snap/test-snapd-content-layout/x3/attached-content none bind,ro 0 0
diff --git a/cmd/snap-update-ns/testdata/content-layout-1-initially-connected.current.fstab b/cmd/snap-update-ns/testdata/content-layout-1-initially-connected.current.fstab
new file mode 100644
index 00000000000..412f98e827d
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/content-layout-1-initially-connected.current.fstab
@@ -0,0 +1,27 @@
+# This entry is injected by snap-confine. It represents the tmpfs
+# created at / during construction of the mount namespace, before
+# snap-update-ns is even invoked.
+tmpfs / tmpfs x-snapd.origin=rootfs 0 0
+# This is the result of a content interface connection, all of
+# test-snapd-content at revision x1 is shared to test-snapd-content-layout at
+# revision x2, to directory $SNAP/attached-content.
+/snap/test-snapd-content/x1 /snap/test-snapd-content-layout/x2/attached-content none bind,ro 0 0
+# This is a writable mimic created on /usr/share/secureboot, so that the
+# subdirectory "potato" can be created inside. There's nothing special about
+# the path. It was used as there are relatvely few elements that need to be
+# re-created inside, making the behavior of the algorithm easier to follow.
+tmpfs /usr/share/secureboot tmpfs x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,mode=0755,uid=0,gid=0 0 0
+# This is the only existing sub-directory of /usr/share/secureboot being
+# re-created by the writable mimic. Note that the name and directory are a lie
+# (or simplification) as this entry exists so that we know it needs to be
+# unmounted. The real source is somewhat more complicated and cannot be
+# expressed with the limited syntax of fstab mount entries.
+/usr/share/secureboot/updates /usr/share/secureboot/updates none rbind,x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,x-snapd.detach 0 0
+# This is the layout entry replicating the attached content. This is the root
+# of all evil, as the very popular behavior used by nearly all the snaps relies
+# on an implementation dertail that was never envisioned to work this way.
+#
+# Notice that it uses the attached-content directory as source, it has no idea
+# or relation to the connected content and is happy to replicate an empty
+# unconnected directory.
+/snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
diff --git a/cmd/snap-update-ns/testdata/content-layout-1-initially-connected.desired.fstab b/cmd/snap-update-ns/testdata/content-layout-1-initially-connected.desired.fstab
new file mode 100644
index 00000000000..6ffd2382a4a
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/content-layout-1-initially-connected.desired.fstab
@@ -0,0 +1,5 @@
+# This is the layout entry. Snapd orders layouts before any content entries.
+/snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
+# This is the content entry. Notice that it is after the layout but the user
+# expectation is that the content shows up through the layout entry.
+/snap/test-snapd-content/x1 /snap/test-snapd-content-layout/x2/attached-content none bind,ro 0 0
diff --git a/cmd/snap-update-ns/testdata/content-layout-2-after-disconnect.current.fstab b/cmd/snap-update-ns/testdata/content-layout-2-after-disconnect.current.fstab
new file mode 100644
index 00000000000..161f422d670
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/content-layout-2-after-disconnect.current.fstab
@@ -0,0 +1,5 @@
+# The order is no longer broken.
+tmpfs / tmpfs x-snapd.origin=rootfs 0 0
+tmpfs /usr/share/secureboot tmpfs x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,mode=0755,uid=0,gid=0 0 0
+/usr/share/secureboot/updates /usr/share/secureboot/updates none rbind,x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,x-snapd.detach 0 0
+/snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
diff --git a/cmd/snap-update-ns/testdata/content-layout-2-after-disconnect.desired.fstab b/cmd/snap-update-ns/testdata/content-layout-2-after-disconnect.desired.fstab
new file mode 100644
index 00000000000..0b004668dcc
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/content-layout-2-after-disconnect.desired.fstab
@@ -0,0 +1,3 @@
+# This is the layout entry. Snapd orders layouts before any content entries.
+/snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
+# The content entry is now gone.
diff --git a/cmd/snap-update-ns/testdata/content-layout-3-after-reconnect.current.fstab b/cmd/snap-update-ns/testdata/content-layout-3-after-reconnect.current.fstab
new file mode 100644
index 00000000000..4e375445705
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/content-layout-3-after-reconnect.current.fstab
@@ -0,0 +1,11 @@
+# Note that the order is back to being correct because bug 
+# https://warthogs.atlassian.net/browse/SNAPDENG-31644 keeps flipping it back and forth!
+tmpfs / tmpfs x-snapd.origin=rootfs 0 0
+# Unlike in the "initially connected" case. The mimic is ordered
+# differently from the content. Here we reuse the mimic so the content
+# is the last entry in the file.
+tmpfs /usr/share/secureboot tmpfs x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,mode=0755,uid=0,gid=0 0 0
+/usr/share/secureboot/updates /usr/share/secureboot/updates none rbind,x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,x-snapd.detach 0 0
+/snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
+# The content is now here. The bind mount may or may not propagate though.
+/snap/test-snapd-content/x1 /snap/test-snapd-content-layout/x2/attached-content none bind,ro 0 0
diff --git a/cmd/snap-update-ns/testdata/content-layout-3-after-reconnect.desired.fstab b/cmd/snap-update-ns/testdata/content-layout-3-after-reconnect.desired.fstab
new file mode 100644
index 00000000000..5fea10444b2
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/content-layout-3-after-reconnect.desired.fstab
@@ -0,0 +1,3 @@
+# This is exactly the same as content-layout-initially-connected.desired.fstab.
+/snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
+/snap/test-snapd-content/x1 /snap/test-snapd-content-layout/x2/attached-content none bind,ro 0 0
diff --git a/cmd/snap-update-ns/testdata/content-layout-4-initially-disconnected-then-connected.before.current.fstab b/cmd/snap-update-ns/testdata/content-layout-4-initially-disconnected-then-connected.before.current.fstab
new file mode 100644
index 00000000000..e6a6f386ab8
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/content-layout-4-initially-disconnected-then-connected.before.current.fstab
@@ -0,0 +1,4 @@
+tmpfs / tmpfs x-snapd.origin=rootfs 0 0
+tmpfs /usr/share/secureboot tmpfs x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,mode=0755,uid=0,gid=0 0 0
+/usr/share/secureboot/updates /usr/share/secureboot/updates none rbind,x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,x-snapd.detach 0 0
+/snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
diff --git a/cmd/snap-update-ns/testdata/content-layout-4-initially-disconnected-then-connected.current.fstab b/cmd/snap-update-ns/testdata/content-layout-4-initially-disconnected-then-connected.current.fstab
new file mode 100644
index 00000000000..526d104f846
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/content-layout-4-initially-disconnected-then-connected.current.fstab
@@ -0,0 +1,6 @@
+# This file is now similar to -1- except that re-made content/layout entries are last.
+tmpfs / tmpfs x-snapd.origin=rootfs 0 0
+tmpfs /usr/share/secureboot tmpfs x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,mode=0755,uid=0,gid=0 0 0
+/usr/share/secureboot/updates /usr/share/secureboot/updates none rbind,x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,x-snapd.detach 0 0
+/snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
+/snap/test-snapd-content/x1 /snap/test-snapd-content-layout/x2/attached-content none bind,ro 0 0
diff --git a/cmd/snap-update-ns/testdata/content-layout-4-initially-disconnected-then-connected.desired.fstab b/cmd/snap-update-ns/testdata/content-layout-4-initially-disconnected-then-connected.desired.fstab
new file mode 100644
index 00000000000..1d0c5fee1d2
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/content-layout-4-initially-disconnected-then-connected.desired.fstab
@@ -0,0 +1,3 @@
+# This file is identical to content-layout-1-initially-connected.desired.fstab, except for revision numbers.
+/snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
+/snap/test-snapd-content/x1 /snap/test-snapd-content-layout/x2/attached-content none bind,ro 0 0
diff --git a/cmd/snap-update-ns/testdata/content-layout-5-initially-connected-then-content-refreshed.before.current.fstab b/cmd/snap-update-ns/testdata/content-layout-5-initially-connected-then-content-refreshed.before.current.fstab
new file mode 100644
index 00000000000..54fbe65b9b1
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/content-layout-5-initially-connected-then-content-refreshed.before.current.fstab
@@ -0,0 +1,5 @@
+tmpfs / tmpfs x-snapd.origin=rootfs 0 0
+/snap/test-snapd-content/x1 /snap/test-snapd-content-layout/x2/attached-content none bind,ro 0 0
+tmpfs /usr/share/secureboot tmpfs x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,mode=0755,uid=0,gid=0 0 0
+/usr/share/secureboot/updates /usr/share/secureboot/updates none rbind,x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,x-snapd.detach 0 0
+/snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
diff --git a/cmd/snap-update-ns/testdata/content-layout-5-initially-connected-then-content-refreshed.current.fstab b/cmd/snap-update-ns/testdata/content-layout-5-initially-connected-then-content-refreshed.current.fstab
new file mode 100644
index 00000000000..d55e3f9269c
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/content-layout-5-initially-connected-then-content-refreshed.current.fstab
@@ -0,0 +1,6 @@
+# This file is similar to -1-, except that attached content has different revision.
+tmpfs / tmpfs x-snapd.origin=rootfs 0 0
+tmpfs /usr/share/secureboot tmpfs x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,mode=0755,uid=0,gid=0 0 0
+/usr/share/secureboot/updates /usr/share/secureboot/updates none rbind,x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,x-snapd.detach 0 0
+/snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
+/snap/test-snapd-content/x2 /snap/test-snapd-content-layout/x2/attached-content none bind,ro 0 0
diff --git a/cmd/snap-update-ns/testdata/content-layout-5-initially-connected-then-content-refreshed.desired.fstab b/cmd/snap-update-ns/testdata/content-layout-5-initially-connected-then-content-refreshed.desired.fstab
new file mode 100644
index 00000000000..2de313d056d
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/content-layout-5-initially-connected-then-content-refreshed.desired.fstab
@@ -0,0 +1,7 @@
+# This file is almost the same as content-layout-1-initially-connected.desired.fstab, which is good.
+# The only difference, and one that we expect, is the revision of the attached content snap.
+# The revision changes from x1 to x2 as the content is refreshed.
+/snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
+# This is the content entry. Notice that it is after the layout but the user
+# expectation is that the content shows up through the layout entry.
+/snap/test-snapd-content/x2 /snap/test-snapd-content-layout/x2/attached-content none bind,ro 0 0
diff --git a/cmd/snap-update-ns/testdata/content-layout-6-initially-connected-then-app-refreshed.before.current.fstab b/cmd/snap-update-ns/testdata/content-layout-6-initially-connected-then-app-refreshed.before.current.fstab
new file mode 100644
index 00000000000..54fbe65b9b1
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/content-layout-6-initially-connected-then-app-refreshed.before.current.fstab
@@ -0,0 +1,5 @@
+tmpfs / tmpfs x-snapd.origin=rootfs 0 0
+/snap/test-snapd-content/x1 /snap/test-snapd-content-layout/x2/attached-content none bind,ro 0 0
+tmpfs /usr/share/secureboot tmpfs x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,mode=0755,uid=0,gid=0 0 0
+/usr/share/secureboot/updates /usr/share/secureboot/updates none rbind,x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,x-snapd.detach 0 0
+/snap/test-snapd-content-layout/x2/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
diff --git a/cmd/snap-update-ns/testdata/content-layout-6-initially-connected-then-app-refreshed.current.fstab b/cmd/snap-update-ns/testdata/content-layout-6-initially-connected-then-app-refreshed.current.fstab
new file mode 100644
index 00000000000..7ed74c1be8b
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/content-layout-6-initially-connected-then-app-refreshed.current.fstab
@@ -0,0 +1,5 @@
+tmpfs / tmpfs x-snapd.origin=rootfs 0 0
+tmpfs /usr/share/secureboot tmpfs x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,mode=0755,uid=0,gid=0 0 0
+/usr/share/secureboot/updates /usr/share/secureboot/updates none rbind,x-snapd.synthetic,x-snapd.needed-by=/usr/share/secureboot/potato,x-snapd.detach 0 0
+/snap/test-snapd-content/x1 /snap/test-snapd-content-layout/x3/attached-content none bind,ro 0 0
+/snap/test-snapd-content-layout/x3/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
diff --git a/cmd/snap-update-ns/testdata/content-layout-6-initially-connected-then-app-refreshed.desired.fstab b/cmd/snap-update-ns/testdata/content-layout-6-initially-connected-then-app-refreshed.desired.fstab
new file mode 100644
index 00000000000..f4d47342427
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/content-layout-6-initially-connected-then-app-refreshed.desired.fstab
@@ -0,0 +1,3 @@
+# The desired file is the same as -1-, apart from revision numbers, and correct.
+/snap/test-snapd-content-layout/x3/attached-content /usr/share/secureboot/potato none rbind,rw,x-snapd.origin=layout 0 0
+/snap/test-snapd-content/x1 /snap/test-snapd-content-layout/x3/attached-content none bind,ro 0 0
diff --git a/cmd/snap-update-ns/testdata/test-snapd-content-layout/attached-content/hidden b/cmd/snap-update-ns/testdata/test-snapd-content-layout/attached-content/hidden
new file mode 100644
index 00000000000..0002c784304
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/test-snapd-content-layout/attached-content/hidden
@@ -0,0 +1 @@
+This file is hidden when content is connected
diff --git a/cmd/snap-update-ns/testdata/test-snapd-content-layout/bin/bash b/cmd/snap-update-ns/testdata/test-snapd-content-layout/bin/bash
new file mode 100755
index 00000000000..acd5e2fd9a3
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/test-snapd-content-layout/bin/bash
@@ -0,0 +1,3 @@
+#!/bin/sh
+PS1='$ '
+exec /bin/bash "$@"
diff --git a/cmd/snap-update-ns/testdata/test-snapd-content-layout/bin/sh b/cmd/snap-update-ns/testdata/test-snapd-content-layout/bin/sh
new file mode 100755
index 00000000000..0f845e07c5a
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/test-snapd-content-layout/bin/sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+PS1='$ '
+exec /bin/sh "$@"
diff --git a/cmd/snap-update-ns/testdata/test-snapd-content-layout/meta/snap.yaml b/cmd/snap-update-ns/testdata/test-snapd-content-layout/meta/snap.yaml
new file mode 100644
index 00000000000..7aee4ea9f64
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/test-snapd-content-layout/meta/snap.yaml
@@ -0,0 +1,22 @@
+name: test-snapd-content-layout
+version: a
+
+confinement: strict
+base: core24
+architecture: all
+
+apps:
+  sh:
+    command: bin/sh
+  bash:
+    command: bin/bash
+
+plugs:
+  just-content:
+    content: just-content
+    interface: content
+    target: $SNAP/attached-content
+
+layout:
+  /usr/share/secureboot/potato:
+    bind: $SNAP/attached-content
diff --git a/cmd/snap-update-ns/testdata/test-snapd-content/canary.txt b/cmd/snap-update-ns/testdata/test-snapd-content/canary.txt
new file mode 100644
index 00000000000..b627cc70e9b
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/test-snapd-content/canary.txt
@@ -0,0 +1 @@
+This is a canary file
diff --git a/cmd/snap-update-ns/testdata/test-snapd-content/meta/snap.yaml b/cmd/snap-update-ns/testdata/test-snapd-content/meta/snap.yaml
new file mode 100644
index 00000000000..f53b021ac09
--- /dev/null
+++ b/cmd/snap-update-ns/testdata/test-snapd-content/meta/snap.yaml
@@ -0,0 +1,12 @@
+name: test-snapd-content
+version: a
+
+confinement: strict
+base: core24
+architecture: all
+
+slots:
+  just-content:
+    interface: content
+    read:
+    - /
diff --git a/cmd/snap-update-ns/update.go b/cmd/snap-update-ns/update.go
index cd7c10b0d26..c0b312a6697 100644
--- a/cmd/snap-update-ns/update.go
+++ b/cmd/snap-update-ns/update.go
@@ -92,11 +92,40 @@ func executeMountProfileUpdate(upCtx MountProfileUpdateContext) error {
 
 	// Compute the new current profile so that it contains only changes that were made
 	// and save it back for next runs.
-	var currentAfter osutil.MountProfile
-	for _, change := range changesMade {
-		if change.Action == Mount || change.Action == Keep {
-			currentAfter.Entries = append(currentAfter.Entries, change.Entry)
+	currentAfter := CurrentProfileFromChangesMade(changesMade)
+	return upCtx.SaveCurrentProfile(&currentAfter)
+}
+
+// CurrentProfileFromChangesMade computes a new mount profile a slice of changes.
+//
+// The return value collects mount profile entries from changes of type "mount"
+// and "keep" while discarding the changes of type "unmount". The order in
+// which entries are collected depends on their type.
+//
+// The sequence of changes, as produced by NeededChanges, is computed by
+// looking at two mount profiles, examining the most recent change and working
+// backwards. Since the most recent change is the last entry in the mount
+// profile, the first change describes the last mount entry of the old mount
+// profile.
+//
+// The "keep" changes are thus collected in reverse order - the order of their
+// true appearance, while "mount" changes are collected in the order of their
+// appearance as this represents the actual order of performed mount
+// operations.
+func CurrentProfileFromChangesMade(changes []*Change) osutil.MountProfile {
+	var profile osutil.MountProfile
+
+	for i := len(changes) - 1; i >= 0; i-- {
+		change := changes[i]
+		if change.Action == Keep {
+			profile.Entries = append(profile.Entries, change.Entry)
 		}
 	}
-	return upCtx.SaveCurrentProfile(&currentAfter)
+	for _, change := range changes {
+		if change.Action == Mount {
+			profile.Entries = append(profile.Entries, change.Entry)
+		}
+	}
+
+	return profile
 }
diff --git a/cmd/snap-update-ns/update_test.go b/cmd/snap-update-ns/update_test.go
index f231bb08464..a68db153193 100644
--- a/cmd/snap-update-ns/update_test.go
+++ b/cmd/snap-update-ns/update_test.go
@@ -363,14 +363,70 @@ func (s *updateSuite) TestKeepSyntheticMountsLP2043993(c *C) {
 
 	c.Assert(update.ExecuteMountProfileUpdate(upCtx), IsNil)
 	c.Assert(saved.Entries, HasLen, 2)
-	// TODO: the change of order is a bit unexpected, but that is a larger issue
-	// synth mount kept because it is needed by a desired mount
-	c.Check(saved.Entries[1].Type, Equals, "tmpfs")
-	c.Check(saved.Entries[1].Name, Equals, "tmpfs")
-	c.Check(saved.Entries[1].Dir, Equals, filepath.Join(baseSourceDir, "rofs"))
-	c.Check(saved.Entries[1].XSnapdSynthetic(), Equals, true)
-	c.Check(saved.Entries[1].XSnapdNeededBy(), Equals, "test-id")
-	c.Check(saved.Entries[0], DeepEquals, desiredMountEntry)
+	c.Check(saved.Entries[0].Type, Equals, "tmpfs")
+	c.Check(saved.Entries[0].Name, Equals, "tmpfs")
+	c.Check(saved.Entries[0].Dir, Equals, filepath.Join(baseSourceDir, "rofs"))
+	c.Check(saved.Entries[0].XSnapdSynthetic(), Equals, true)
+	c.Check(saved.Entries[0].XSnapdNeededBy(), Equals, "test-id")
+	c.Check(saved.Entries[1], DeepEquals, desiredMountEntry)
+}
+
+func (s *updateSuite) TestCurrentProfileFromChangesMade(c *C) {
+	// Changes are computed back-to-front, starting from the last entry in
+	// the mount profile.
+	changes := []*update.Change{
+		{Action: update.Mount, Entry: osutil.MountEntry{Dir: "/dir-1"}},
+		{Action: update.Mount, Entry: osutil.MountEntry{Dir: "/dir-2"}},
+		{Action: update.Mount, Entry: osutil.MountEntry{Dir: "/dir-3"}},
+	}
+	profile := update.CurrentProfileFromChangesMade(changes)
+	c.Check(profile, DeepEquals, osutil.MountProfile{Entries: []osutil.MountEntry{
+		{Dir: "/dir-1"},
+		{Dir: "/dir-2"},
+		{Dir: "/dir-3"},
+	}})
+
+	// When we keep a number of entries we are not still processing them
+	// back-to-front but the order of actual changes is front-to-back.
+	changes = []*update.Change{
+		{Action: update.Keep, Entry: osutil.MountEntry{Dir: "/dir-3"}},
+		{Action: update.Keep, Entry: osutil.MountEntry{Dir: "/dir-2"}},
+		{Action: update.Keep, Entry: osutil.MountEntry{Dir: "/dir-1"}},
+	}
+	profile = update.CurrentProfileFromChangesMade(changes)
+	c.Check(profile, DeepEquals, osutil.MountProfile{Entries: []osutil.MountEntry{
+		{Dir: "/dir-1"},
+		{Dir: "/dir-2"},
+		{Dir: "/dir-3"},
+	}})
+
+	// When we unmount things they just don't appear in the resulting profile.
+	changes = []*update.Change{
+		{Action: update.Unmount, Entry: osutil.MountEntry{Dir: "/dir-1"}},
+		{Action: update.Unmount, Entry: osutil.MountEntry{Dir: "/dir-2"}},
+		{Action: update.Unmount, Entry: osutil.MountEntry{Dir: "/dir-3"}},
+	}
+	profile = update.CurrentProfileFromChangesMade(changes)
+	c.Check(profile, DeepEquals, osutil.MountProfile{})
+
+	// When we have a mixture of changes unmount entries are removed, keep
+	// entries are retained first, back to front and then mount entries are
+	// retained in the order in which they were executed.
+	changes = []*update.Change{
+		{Action: update.Unmount, Entry: osutil.MountEntry{Dir: "/old-2"}},
+		{Action: update.Unmount, Entry: osutil.MountEntry{Dir: "/old-1"}},
+		{Action: update.Keep, Entry: osutil.MountEntry{Dir: "/same-2"}},
+		{Action: update.Keep, Entry: osutil.MountEntry{Dir: "/same-1"}},
+		{Action: update.Mount, Entry: osutil.MountEntry{Dir: "/new-1"}},
+		{Action: update.Mount, Entry: osutil.MountEntry{Dir: "/new-2"}},
+	}
+	profile = update.CurrentProfileFromChangesMade(changes)
+	c.Check(profile, DeepEquals, osutil.MountProfile{Entries: []osutil.MountEntry{
+		{Dir: "/same-1"},
+		{Dir: "/same-2"},
+		{Dir: "/new-1"},
+		{Dir: "/new-2"},
+	}})
 }
 
 // testProfileUpdateContext implements MountProfileUpdateContext and is suitable for testing.
diff --git a/osutil/mountentry.go b/osutil/mountentry.go
index 39bb858cb49..b7ce7e8be34 100644
--- a/osutil/mountentry.go
+++ b/osutil/mountentry.go
@@ -40,9 +40,9 @@ import (
 //	    int   mnt_passno;   /* pass number on parallel fsck */
 //	};
 type MountEntry struct {
-	Name    string
-	Dir     string
-	Type    string
+	Name    string // Device name, bind source, pseudo name
+	Dir     string // Directory name, bind target (including file)
+	Type    string // File system type
 	Options []string
 
 	DumpFrequency   int