17 files changed, 335 insertions, 13 deletions

diff --git a/README.md b/README.md
index 71167c3b8..175ba70b6 100644
--- a/README.md
+++ b/README.md
@@ -330,5 +330,6 @@ Stats:
 
 ### New profiles:
 
-vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop.
-avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop
+vmware-view, display-im6.q16, ipcalc, ipcalc-ng, ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
+avidemux, calligragemini, vmware-player, vmware-workstation, gget, com.github.phase1geo.minder, nextcloud-desktop,
+pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2
diff --git a/RELNOTES b/RELNOTES
index 57b19d8d5..3b74ebd5a 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -15,7 +15,8 @@ firejail (0.9.65) baseline; urgency=low
   * new profiles: vmware-view, display-im6.q16, ipcalc, ipcalc-ng
   * ebook-convert, ebook-edit, ebook-meta, ebook-polish, lzop,
   * avidemux, calligragemini, vmware-player, vmware-workstation
-  * gget, com.github.phase1geo.minder, nextcloud-desktop
+  * gget, com.github.phase1geo.minder, nextcloud-desktop, pcsxr
+  * PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2
  -- netblue30 <netblue30@yahoo.com>  Tue, 9 Feb 2021 09:00:00 -0500
 
 firejail (0.9.64.4) baseline; urgency=low
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index 84eb51b9f..9dffa750a 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -167,6 +167,7 @@ blacklist ${HOME}/.config/aweather
 blacklist ${HOME}/.config/backintime
 blacklist ${HOME}/.config/baloofilerc
 blacklist ${HOME}/.config/baloorc
+blacklist ${HOME}/.config/bcompare
 blacklist ${HOME}/.config/blender
 blacklist ${HOME}/.config/bless
 blacklist ${HOME}/.config/bnox
@@ -268,6 +269,7 @@ blacklist ${HOME}/.config/inkscape
 blacklist ${HOME}/.config/inox
 blacklist ${HOME}/.config/iridium
 blacklist ${HOME}/.config/itch
+blacklist ${HOME}/.config/jami
 blacklist ${HOME}/.config/jd-gui.cfg
 blacklist ${HOME}/.config/k3brc
 blacklist ${HOME}/.config/kaffeinerc
@@ -348,6 +350,7 @@ blacklist ${HOME}/.config/okularrc
 blacklist ${HOME}/.config/onboard
 blacklist ${HOME}/.config/onionshare
 blacklist ${HOME}/.config/onlyoffice
+blacklist ${HOME}/.config/openmw
 blacklist ${HOME}/.config/opera
 blacklist ${HOME}/.config/opera-beta
 blacklist ${HOME}/.config/orage
@@ -666,6 +669,7 @@ blacklist ${HOME}/.local/share/gradio
 blacklist ${HOME}/.local/share/gwenview
 blacklist ${HOME}/.local/share/i2p
 blacklist ${HOME}/.local/share/IntoTheBreach
+blacklist ${HOME}/.local/share/jami
 blacklist ${HOME}/.local/share/kaffeine
 blacklist ${HOME}/.local/share/kalgebra
 blacklist ${HOME}/.local/share/kate
@@ -716,6 +720,7 @@ blacklist ${HOME}/.local/share/notes
 blacklist ${HOME}/.local/share/ocenaudio
 blacklist ${HOME}/.local/share/okular
 blacklist ${HOME}/.local/share/onlyoffice
+blacklist ${HOME}/.local/share/openmw
 blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
 blacklist ${HOME}/.local/share/Paradox Interactive
@@ -799,6 +804,7 @@ blacklist ${HOME}/.opera-beta
 blacklist ${HOME}/.ostrichriders
 blacklist ${HOME}/.paradoxinteractive
 blacklist ${HOME}/.parallelrealities/blobwars
+blacklist ${HOME}/.pcsxr
 blacklist ${HOME}/.penguin-command
 blacklist ${HOME}/.pingus
 blacklist ${HOME}/.pioneer
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile
new file mode 100644
index 000000000..178e2dc9f
--- /dev/null
+++ b/etc/profile-a-l/bcompare.profile
@@ -0,0 +1,62 @@
+# Firejail profile for Beyond Compare by Scooter Software
+# Description: directory and file compare utility
+# Disables the network, which only impacts checking for updates.
+# This file is overwritten after every install/update
+# Persistent local customizations
+include bcompare.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/bcompare
+# In case the user decides to include disable-programs.inc, still allow
+# KDE's Gwenview to view images via right click -> Open With -> Associated Application
+noblacklist ${HOME}/.config/gwenviewrc
+
+# Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-common.inc
+#include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+# Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-programs.inc
+#include disable-programs.inc
+# Uncommenting this breaks launch
+# include disable-shell.inc
+include disable-write-mnt.inc
+# Don't disable ${DOCUMENTS}, ${MUSIC}, ${PICTURES}, ${VIDEOS}
+# include disable-xdg.inc
+
+# include whitelist-common.inc
+# include whitelist-runuser-common.inc
+# include whitelist-usr-share-common.inc
+# include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+# Uncommenting might break Pulse Audio
+#machine-id
+net none
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+# Allow applications launched on sound files to play them
+#nosound
+notv
+nou2f
+novideo
+protocol unix
+seccomp
+shell none
+tracelog
+
+private-cache
+private-dev
+# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
+# private-etc alternatives,fonts,machine-id
+# Necessary because of the `include disable-exec.inc` line. Prevents error "Error fstat: fs.c:504 fs_remount_simple: Transport endpoint is not connected ... cannot sync with peer: unexpected EOF Peer [...] unexpectedly exited with status 1"
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
index 13d830b55..fc920a065 100644
--- a/etc/profile-a-l/dolphin-emu.profile
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -18,6 +18,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-write-mnt.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/dolphin-emu
diff --git a/etc/profile-a-l/jami-gnome.profile b/etc/profile-a-l/jami-gnome.profile
new file mode 100644
index 000000000..226bb0008
--- /dev/null
+++ b/etc/profile-a-l/jami-gnome.profile
@@ -0,0 +1,42 @@
+# Firejail profile for jami-gnome
+# Description: An encrypted peer-to-peer messenger
+# This file is overwritten after every install/update
+# Persistent local customizations
+include jami-gnome.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/jami
+noblacklist ${HOME}/.local/share/jami
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+#include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+mkdir ${HOME}/.config/jami
+mkdir ${HOME}/.local/share/jami
+whitelist ${HOME}/.config/jami
+whitelist ${HOME}/.local/share/jami
+include whitelist-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+protocol unix,inet,inet6,netlink
+seccomp
+shell none
+
+disable-mnt
+private-dev
+private-tmp
+
+env QT_QPA_PLATFORM=xcb
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile
new file mode 100644
index 000000000..b2687ba3c
--- /dev/null
+++ b/etc/profile-m-z/PCSX2.profile
@@ -0,0 +1,57 @@
+# Firejail profile for PCSX2
+# Description: A PlayStation 2 emulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include PCSX2.local
+# Persistent global definitions
+include globals.local
+
+# Note: you must whitelist your games folder in a PCSX2.local
+
+noblacklist ${HOME}/.config/PCSX2
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/PCSX2
+whitelist ${HOME}/.config/PCSX2
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+netfilter
+# Uncomment the following line if not loading games from disc
+#nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+#seccomp - breaks loading with no logs
+shell none
+#tracelog - 32/64 bit incompatibility
+
+private-bin PCSX2
+private-cache
+# uncomment the following line if you do not need controller support
+#private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/PPSSPPSDL.profile b/etc/profile-m-z/PPSSPPSDL.profile
new file mode 100644
index 000000000..deb00a436
--- /dev/null
+++ b/etc/profile-m-z/PPSSPPSDL.profile
@@ -0,0 +1,9 @@
+# Firejail profile for PPSSPPSDL
+# This file is overwritten after every install/update
+# Persistent local customizations
+include PPSSPPSDL.local
+# added by included profile
+#include globals.local
+
+# Redirect
+include ppsspp.profile
diff --git a/etc/profile-m-z/man.profile b/etc/profile-m-z/man.profile
index c6c50cf47..965750bf0 100644
--- a/etc/profile-m-z/man.profile
+++ b/etc/profile-m-z/man.profile
@@ -57,7 +57,7 @@ disable-mnt
 #private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim
 private-cache
 private-dev
-private-etc alternatives,fonts,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
+private-etc alternatives,fonts,groff,locale,locale.alias,locale.conf,man_db.conf,manpath.config,selinux,sysless,xdg
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index c12fc9a78..202905631 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -1,5 +1,5 @@
 # Firejail profile for Node.js
-# Description: Common profile for npm/yarn
+# Description: Asynchronous event-driven JavaScript runtime
 # This file is overwritten after every install/update
 # Persistent local customizations
 include nodejs-common.local
@@ -45,7 +45,9 @@ shell none
 
 disable-mnt
 private-dev
+# May need to add `passwd` to `private-etc` below to enable debugging with some IDEs
 private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg
+# May need to be commented out in order to enable debugging with some IDEs
 private-tmp
 
 dbus-user none
diff --git a/etc/profile-m-z/openmw-launcher.profile b/etc/profile-m-z/openmw-launcher.profile
new file mode 100644
index 000000000..c9cc144e4
--- /dev/null
+++ b/etc/profile-m-z/openmw-launcher.profile
@@ -0,0 +1,7 @@
+# Firejail profile for openmw-launcher
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openmw-launcher.local
+
+# Redirect
+include openmw.profile
diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile
new file mode 100644
index 000000000..270d64c1e
--- /dev/null
+++ b/etc/profile-m-z/openmw.profile
@@ -0,0 +1,61 @@
+# Firejail profile for openmw
+# Description: Open source engine re-implementation for Morrowind
+# This file is overwritten after every install/update
+# Persistent local customizations
+include openmw.local
+# Persistent global definitions
+include globals.local
+
+noblacklist ${HOME}/.config/openmw
+noblacklist ${HOME}/.local/share/openmw
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/openmw
+mkdir ${HOME}/.local/share/openmw
+whitelist ${HOME}/.config/openmw
+# Copy Morrowind data files into the following directory or load it from /mnt
+# or whitelist it in a openmw.local
+whitelist ${HOME}/.local/share/openmw
+whitelist /usr/share/openmw
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+netfilter
+# Uncomment the following line if installing from disc
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+seccomp.block-secondary
+shell none
+tracelog
+
+private-bin bsatool,esmtool,niftest,openmw,openmw-cs,openmw-essimporter,openmw-iniimporter,openmw-launcher,openmw-wizard
+private-cache
+private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,drirc,fonts,glvnd,group,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nvidia,openmw,pango,passwd,pulse,Trolltech.conf,X11,xdg
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/pcsxr.profile b/etc/profile-m-z/pcsxr.profile
new file mode 100644
index 000000000..c25c4ae66
--- /dev/null
+++ b/etc/profile-m-z/pcsxr.profile
@@ -0,0 +1,57 @@
+# Firejail profile for pcsxr
+# Description: A PlayStation emulator
+# This file is overwritten after every install/update
+# Persistent local customizations
+include pcsxr.local
+# Persistent global definitions
+include globals.local
+
+# Note: you must whitelist your games folder in a pcsxr.local
+
+noblacklist ${HOME}/.pcsxr
+
+include disable-common.inc
+include disable-devel.inc
+include disable-exec.inc
+include disable-interpreters.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-write-mnt.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.pcsxr
+whitelist ${HOME}/.pcsxr
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+apparmor
+caps.drop all
+ipc-namespace
+net none
+netfilter
+# Uncomment the following line if not loading games from disc
+#nodvd
+nogroups
+nonewprivs
+noroot
+notv
+nou2f
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+private-bin pcsxr
+private-cache
+# uncomment the following line if you do not need controller support
+#private-dev
+private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-opt none
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile
index c71553bcd..263d99c83 100644
--- a/etc/profile-m-z/ppsspp.profile
+++ b/etc/profile-m-z/ppsspp.profile
@@ -1,13 +1,14 @@
 # Firejail profile for ppsspp
-# Description: A PSP emulator written in C++
+# Description: A PSP emulator
 # This file is overwritten after every install/update
 # Persistent local customizations
 include ppsspp.local
 # Persistent global definitions
 include globals.local
 
+# Note: you must whitelist your games folder in a ppsspp.local
+
 noblacklist ${HOME}/.config/ppsspp
-noblacklist ${DOCUMENTS}
 
 include disable-common.inc
 include disable-devel.inc
@@ -15,8 +16,15 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
+include disable-write-mnt.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.config/ppsspp
+whitelist ${HOME}/.config/ppsspp
+whitelist /usr/share/ppsspp
+include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
@@ -27,11 +35,13 @@ nogroups
 nonewprivs
 noroot
 notv
+nou2f
 novideo
 protocol unix,netlink
 seccomp
 shell none
 
+private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL
 # uncomment the following line if you do not need controller support
 #private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 3da415b70..6cef32249 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -20,7 +20,9 @@ Maelstrom
 Maps
 Mathematica
 Natron
+PCSX2
 PPSSPPQt
+PPSSPPSDL
 QMediathekView
 QOwnNotes
 Screenshot
@@ -77,6 +79,7 @@ balsa
 baobab
 barrier
 basilisk
+bcompare
 beaker
 bibletime
 bijiben
@@ -582,6 +585,8 @@ openarena
 openarena_ded
 opencity
 openclonk
+openmw
+openmw-launcher
 openoffice.org
 openshot
 openshot-qt
@@ -598,6 +603,7 @@ parole
 patch
 pavucontrol
 pavucontrol-qt
+pcsxr
 pdfchain
 pdfmod
 pdfsam
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 60c097cf2..743d84b43 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -630,8 +630,6 @@ int sandbox(void* sandbox_arg) {
                 errExit("mounting " RUN_FIREJAIL_LIB_DIR);
         // keep a copy of dhclient executable before the filesystem is modified
         dhcp_store_exec();
-        // mount appimage before the filesystem is modified
-        appimage_mount();
 
         //****************************
         // log sandbox data
@@ -827,6 +825,11 @@ int sandbox(void* sandbox_arg) {
                 fs_basic_fs();
 
         //****************************
+        // appimage
+        //****************************
+        appimage_mount();
+
+        //****************************
         // private mode
         //****************************
         if (arg_private) {
@@ -1155,14 +1158,12 @@ int sandbox(void* sandbox_arg) {
         //****************************
         // continue security filters
         //****************************
-
         // set capabilities
         set_caps();
 
         //****************************************
         // relay status information to join option
         //****************************************
-
         char *set_sandbox_status = create_join_file();
 
         //****************************************
@@ -1223,7 +1224,6 @@ int sandbox(void* sandbox_arg) {
         //****************************************
         // set cpu affinity
         //****************************************
-
         if (cfg.cpus)
                 set_cpu_affinity();
 
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index b0b390507..ee685da73 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -666,7 +666,7 @@ Disable DVB (Digital Video Broadcasting) TV devices.
 Disable U2F devices.
 .TP
 \fBnovideo
-Disable video devices.
+Disable video capture devices.
 .TP
 \fBshell none
 Run the program directly, without a shell.