12 files changed, 54 insertions, 5 deletions

diff --git a/README.md b/README.md
index 1bb9b2d98..bc4802138 100644
--- a/README.md
+++ b/README.md
@@ -101,4 +101,5 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir
 ## New profiles
 
 Basilisk browser, Tor Browser language packs, PlayOnLinux, sylpheed, discord-canary,
-pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain
+pycharm-community, pycharm-professional, Pitivi, OnionShare, Fritzing, Kaffeine, pdfchain,
+tilp
diff --git a/RELNOTES b/RELNOTES
index a924cd3d8..b0a873e38 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -7,7 +7,7 @@ firejail (0.9.53) baseline; urgency=low
   * private-tmp support for overlay and chroot sandboxes
   * new profiles: basilisk, Tor Browser language packs, PlayOnLinux, sylpheed,
   * new profiles: discord-canary, pycharm-community, pycharm-professional, kaffeine,
-  * new profiles: pdfchain
+  * new profiles: pdfchain, tilp
  -- netblue30 <netblue30@yahoo.com>  Tue, 12 Dec 2017 08:00:00 -0500
 
 firejail (0.9.52) baseline; urgency=low
diff --git a/etc/akregator.profile b/etc/akregator.profile
index f2e5ea341..2c49ef9f0 100644
--- a/etc/akregator.profile
+++ b/etc/akregator.profile
@@ -17,6 +17,7 @@ mkfile ${HOME}/.config/akregatorrc
 mkdir ${HOME}/.local/share/akregator
 whitelist ${HOME}/.config/akregatorrc
 whitelist ${HOME}/.local/share/akregator
+whitelist ${HOME}/.local/share/kssl
 include /etc/firejail/whitelist-common.inc
 
 include /etc/firejail/whitelist-var-common.inc
diff --git a/etc/audacity.profile b/etc/audacity.profile
index e173fa65a..ea1d38132 100644
--- a/etc/audacity.profile
+++ b/etc/audacity.profile
@@ -17,7 +17,7 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/whitelist-var-common.inc
 
 caps.drop all
-net none
+#net none
 no3d
 nodvd
 nogroups
diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index ec700e24e..2a4905c04 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -83,15 +83,21 @@ read-only ${HOME}/.config/kdeglobals
 read-only ${HOME}/.config/kio_httprc
 read-only ${HOME}/.config/kiorc
 read-only ${HOME}/.config/kioslaverc
+read-only ${HOME}/.config/ksslcablacklist
+read-only ${HOME}/.kde/share/apps/kssl
 read-only ${HOME}/.kde/share/config/kdeglobals
 read-only ${HOME}/.kde/share/config/kio_httprc
 read-only ${HOME}/.kde/share/config/kioslaverc
+read-only ${HOME}/.kde/share/config/ksslcablacklist
 read-only ${HOME}/.kde/share/kde4/services
+read-only ${HOME}/.kde4/share/apps/kssl
 read-only ${HOME}/.kde4/share/config/kdeglobals
 read-only ${HOME}/.kde4/share/config/kio_httprc
 read-only ${HOME}/.kde4/share/config/kioslaverc
+read-only ${HOME}/.kde4/share/config/ksslcablacklist
 read-only ${HOME}/.kde4/share/kde4/services
 read-only ${HOME}/.local/share/kservices5
+read-only ${HOME}/.local/share/kssl
 
 # kdeinit socket
 blacklist /run/user/*/kdeinit5__*
@@ -245,6 +251,7 @@ read-only ${HOME}/bin
 blacklist   ${HOME}/.local/share/Trash
 
 # Write-protection for desktop entries
+read-only ${HOME}/.config/menus
 read-only ${HOME}/.local/share/applications
 
 # top secret
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 660bb9ffd..a93f50a8d 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -445,6 +445,7 @@ blacklist ${HOME}/.sylpheed-2.0
 blacklist ${HOME}/.synfig
 blacklist ${HOME}/.tconn
 blacklist ${HOME}/.thunderbird
+blacklist ${HOME}/.tilp
 blacklist ${HOME}/.tooling
 blacklist ${HOME}/.tor-browser-*
 blacklist ${HOME}/.ts3client
diff --git a/etc/libreoffice.profile b/etc/libreoffice.profile
index 3548a75ad..220e0f02c 100644
--- a/etc/libreoffice.profile
+++ b/etc/libreoffice.profile
@@ -34,3 +34,5 @@ private-tmp
 
 noexec ${HOME}
 noexec /tmp
+
+join-or-start libreoffice
diff --git a/etc/remmina.profile b/etc/remmina.profile
index bef6376c6..cc209b84a 100644
--- a/etc/remmina.profile
+++ b/etc/remmina.profile
@@ -5,6 +5,7 @@ include /etc/firejail/remmina.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
+noblacklist ${HOME}/.remmina
 noblacklist ${HOME}/.config/remmina
 noblacklist ${HOME}/.local/share/remmina
 noblacklist ${HOME}/.ssh
diff --git a/etc/soundconverter.profile b/etc/soundconverter.profile
index c27fb3819..1f64567ef 100644
--- a/etc/soundconverter.profile
+++ b/etc/soundconverter.profile
@@ -5,8 +5,6 @@ include /etc/firejail/soundconverter.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-blacklist /run/user/*/bus
-
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
diff --git a/etc/tilp.profile b/etc/tilp.profile
new file mode 100644
index 000000000..a6165fbfe
--- /dev/null
+++ b/etc/tilp.profile
@@ -0,0 +1,34 @@
+# Firejail profile for tilp
+# This file is overwritten after every install/update
+# Persistent local customizations
+include /etc/firejail/tilp.local
+# Persistent global definitions
+include /etc/firejail/globals.local
+
+noblacklist ${HOME}/.tilp
+
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+include /etc/firejail/disable-passwdmgr.inc
+include /etc/firejail/disable-programs.inc
+
+caps.drop all
+net none
+nodvd
+nogroups
+nonewprivs
+noroot
+notv
+novideo
+protocol unix,netlink
+seccomp
+shell none
+tracelog
+
+disable-mnt
+private-bin tilp
+private-etc fonts
+private-tmp
+
+noexec ${HOME}
+noexec /tmp
diff --git a/etc/whitelist-common.inc b/etc/whitelist-common.inc
index 97846b4a3..c664d5a53 100644
--- a/etc/whitelist-common.inc
+++ b/etc/whitelist-common.inc
@@ -57,15 +57,18 @@ whitelist ${HOME}/.config/Trolltech.conf
 whitelist ${HOME}/.config/kdeglobals
 whitelist ${HOME}/.config/kio_httprc
 whitelist ${HOME}/.config/kioslaverc
+whitelist ${HOME}/.config/ksslcablacklist
 whitelist ${HOME}/.config/qt5ct
 whitelist ${HOME}/.kde/share/config/kdeglobals
 whitelist ${HOME}/.kde/share/config/kio_httprc
 whitelist ${HOME}/.kde/share/config/kioslaverc
+whitelist ${HOME}/.kde/share/config/ksslcablacklist
 whitelist ${HOME}/.kde/share/config/oxygenrc
 whitelist ${HOME}/.kde/share/icons
 whitelist ${HOME}/.kde4/share/config/kdeglobals
 whitelist ${HOME}/.kde4/share/config/kio_httprc
 whitelist ${HOME}/.kde4/share/config/kioslaverc
+whitelist ${HOME}/.kde4/share/config/ksslcablacklist
 whitelist ${HOME}/.kde4/share/config/oxygenrc
 whitelist ${HOME}/.kde4/share/icons
 whitelist ${HOME}/.local/share/qt5ct
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 90bbc8bb5..9bd60171b 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -338,6 +338,7 @@ telegram
 telegram-desktop
 terasology
 thunderbird
+tilp
 tor-browser-ar
 tor-browser-en
 tor-browser-en-us