11 files changed, 83 insertions, 9 deletions

diff --git a/README b/README
index e79d4ae10..758775088 100644
--- a/README
+++ b/README
@@ -518,6 +518,8 @@ rogshdo (https://github.com/rogshdo)
         - BitlBee profile
 Ruan (https://github.com/ruany)
         - fixed hexchat profile
+rusty-snake (https://github.com/rusty-snake)
+        - fixed kdenlive profile
 Salvo 'LtWorf' Tomaselli (https://github.com/ltworf)
         - fixed ktorrent profile
 sarneaud (https://github.com/sarneaud)
@@ -684,6 +686,7 @@ veloute (https://github.com/veloute)
         - added flameshot profile
         - added jdownloader profile
         - fixed discord profile
+        - fixes for various profiles
 Vincent43 (https://github.com/Vincent43)
         - apparmor enhancements
 vismir2 (https://github.com/vismir2)
diff --git a/README.md b/README.md
index df436721e..e18d14267 100644
--- a/README.md
+++ b/README.md
@@ -148,4 +148,4 @@ QMediathekView, aria2c, Authenticator, checkbashisms, devilspie, devilspie2, eas
 bsdcat, bsdcpio, bsdtar, lzmadec, lbunzip2, lbzcat, lbzip2, lzcat, lzcmp, lzdiff, lzegrep, lzfgrep, lzgrep,
 lzless, lzma, lzmainfo, lzmore, unlzma, unxz, xzcat, xzcmp, xzdiff, xzegrep, xzfgrep, xzgrep, xzless, xzmore,
 lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh, nirtoshare-send, nitroshare-ui, mencoder, gnome-pie,
-masterpdfeditor, QOwnNotes, aisleriot, Mendeley, feedreader
+masterpdfeditor, QOwnNotes, aisleriot, Mendeley, feedreader, ocenaudio
diff --git a/RELNOTES b/RELNOTES
index 6d2582a59..3b57ac694 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -11,7 +11,7 @@ firejail (0.9.56.1) baseline; urgency=low
   * new profiles: lzip, artha, nitroshare, nitroshare-cli, nitroshare-nmh
   * new profiles: nirtoshare-send, nitroshare-ui, mencoder, gnome-pie
   * new profiles: masterpdfeditor, QOwnNotes, aisleriot, Mendeley
-  * new profiles: feedreader
+  * new profiles: feedreader, ocenaudio
  -- netblue30 <netblue30@yahoo.com>  Thu, 11 Oct 2018 08:00:00 -0500
 
 firejail (0.9.56) baseline; urgency=low
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 796af28f0..7e9d7be80 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -447,6 +447,7 @@ blacklist ${HOME}/.local/share/nautilus-python
 blacklist ${HOME}/.local/share/nemo
 blacklist ${HOME}/.local/share/nemo-python
 blacklist ${HOME}/.local/share/notes
+blacklist ${HOME}/.local/share/ocenaudio
 blacklist ${HOME}/.local/share/okular
 blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
diff --git a/etc/kdenlive.profile b/etc/kdenlive.profile
index 2ef44bc7f..f7b5c89b3 100644
--- a/etc/kdenlive.profile
+++ b/etc/kdenlive.profile
@@ -30,7 +30,7 @@ protocol unix,netlink
 seccomp
 shell none
 
-private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper
+private-bin kdenlive,kdenlive_render,dbus-launch,melt,ffmpeg,ffplay,ffprobe,dvdauthor,genisoimage,vlc,xine,kdeinit5,kshell5,kdeinit5_shutdown,kdeinit5_wrapper,kdeinit4,kshell4,kdeinit4_shutdown,kdeinit4_wrapper,mlt-melt
 private-dev
 # private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,passwd,pulse,xdg,X11
 
diff --git a/etc/ocenaudio.profile b/etc/ocenaudio.profile
new file mode 100644
index 000000000..9b11e90f6
--- /dev/null
+++ b/etc/ocenaudio.profile
@@ -0,0 +1,50 @@
+# Firejail profile for ocenaudio
+# Description: Cross-platform, easy to use, fast and functional audio editor
+# This file is overwritten after every install/update
+# Persistent local customizations
+include ocenaudio.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.local/share/ocenaudio
+noblacklist ${DOCUMENTS}
+noblacklist ${MUSIC}
+
+include disable-common.inc
+include disable-devel.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-xdg.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+no3d
+# nodbus - breaks preferences, comment when needed
+nodbus
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+# disable-mnt
+# private
+private-bin ocenaudio
+private-cache
+private-dev
+private-etc asound.conf,fonts,pulse
+# private-lib
+private-tmp
+
+# memory-deny-write-execute - breaks on Arch
+noexec ${HOME}
+noexec /tmp
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index fcc1d04d4..c26ac278f 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -314,6 +314,7 @@ nheko
 nitroshare
 nylas
 obs
+ocenaudio
 odt2txt
 okular
 onionshare-gui
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
index 84f6a5f77..96ae37bd0 100644
--- a/src/firecfg/main.c
+++ b/src/firecfg/main.c
@@ -66,6 +66,7 @@ static void usage(void) {
 static void list(void) {
         DIR *dir = opendir(arg_bindir);
         if (!dir) {
+                perror("opendir");
                 fprintf(stderr, "Error: cannot open %s directory\n", arg_bindir);
                 exit(1);
         }
@@ -103,6 +104,7 @@ static void clean(void) {
 
         DIR *dir = opendir(arg_bindir);
         if (!dir) {
+                perror("opendir");
                 fprintf(stderr, "Error: cannot open %s directory\n", arg_bindir);
                 exit(1);
         }
@@ -182,6 +184,7 @@ static void set_links_firecfg(void) {
         // parse /usr/lib/firejail/firecfg.cfg file
         FILE *fp = fopen(cfgfile, "r");
         if (!fp) {
+                perror("fopen");
                 fprintf(stderr, "Error: cannot open %s\n", cfgfile);
                 exit(1);
         }
@@ -247,7 +250,8 @@ static void set_links_homedir(const char *homedir) {
 
         DIR *dir = opendir(dirname);
         if (!dir) {
-                fprintf(stderr, "Error: cannot open ~/.config/firejail directory\n");
+                perror("opendir");
+                fprintf(stderr, "Error: cannot open %s directory\n", dirname);
                 free(dirname);
                 return;
         }
@@ -337,7 +341,12 @@ int main(int argc, char **argv) {
 
                         // exit if the directory does not exist, or if we don't have access to it
                         if (access(arg_bindir, R_OK | W_OK | X_OK)) {
-                                fprintf(stderr, "Error: directory %s not found\n", arg_bindir);
+                                if (errno == EACCES)
+                                        fprintf(stderr, "Error: cannot access directory %s: full permissions required\n", arg_bindir);
+                                else {
+                                        perror("access");
+                                        fprintf(stderr, "Error: cannot access directory %s\n", arg_bindir);
+                                }
                                 exit(1);
                         }
                 }
@@ -407,6 +416,7 @@ int main(int argc, char **argv) {
         }
         else if (bindir_set == 0) {
                 // create /usr/local directory if it doesn't exist (Solus distro)
+                mode_t orig_umask = umask(022); // temporarily set the umask
                 struct stat s;
                 if (stat("/usr/local", &s) != 0) {
                         printf("Creating /usr/local directory\n");
@@ -417,13 +427,14 @@ int main(int argc, char **argv) {
                         }
                 }
                 if (stat(arg_bindir, &s) != 0) {
-                        printf("Creating /usr/local directory\n");
+                        printf("Creating %s directory\n", arg_bindir);
                         int rv = mkdir(arg_bindir, 0755);
                         if (rv != 0) {
                                 fprintf(stderr, "Error: cannot create %s directory\n", arg_bindir);
                                 return 1;
                         }
                 }
+                umask(orig_umask);
         }
 
         // clear all symlinks
diff --git a/src/firecfg/sound.c b/src/firecfg/sound.c
index a4151e405..38b43af62 100644
--- a/src/firecfg/sound.c
+++ b/src/firecfg/sound.c
@@ -41,10 +41,13 @@ void sound(void) {
         char *fname;
         if (asprintf(&fname, "%s/.config/pulse/client.conf", home) == -1)
                 errExit("asprintf");
+        printf("Writing file %s\n", fname);
         FILE *fpout = fopen(fname, "w");
-        free(fname);
-        if (!fpout)
+        if (!fpout) {
+                perror("fopen");
                 goto errexit;
+        }
+        free(fname);
 
         // copy default config
         char buf[MAX_BUF];
diff --git a/src/man/firecfg.txt b/src/man/firecfg.txt
index 80cb201d9..b418faa15 100644
--- a/src/man/firecfg.txt
+++ b/src/man/firecfg.txt
@@ -55,6 +55,11 @@ Example:
 $ sudo firecfg --add-users dustin lucas mike eleven
 
 .TP
+\fB\-\-bindir=directory
+Create and search symbolic links in directory instead of the default location /user/local/bin.
+Directory should precede /usr/bin and /bin in the PATH environment variable.
+
+.TP
 \fB\-\-clean
 Remove all firejail symbolic links.
 
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 8898c6791..42495f52c 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -2484,7 +2484,7 @@ Globbing is the operation that expands a wildcard pattern into the list of pathn
 - '[' denotes a range of characters
 .br
 .TP
-The gobing feature is implemented using glibc glob command. For more information on the wildcard syntax see man 7 glob.
+The globbing feature is implemented using glibc glob command. For more information on the wildcard syntax see man 7 glob.
 .br
 
 .br