Apparmor notifications + audit

dinth · February 1, 2026, 7:47am

Hiya. I want to set up desktop notifications from AppArmor in KDE. Looking at public nixos configs on GH i can see that people are often doing exactly this using audit daemon, so based on the repos i found from other people i came up with something like this:

github.com/Dinth/nixos-config

modules/system/security.nix

86f4cde70

{ config, lib, pkgs, machineType ? "", ... }:
let
  primaryUsername = config.primaryUser.name;
in
{
  boot.blacklistedKernelModules = [
    # Obscure network protocols
    "ax25" "netrom" "rose"
    # Obscure filesystems
    "adfs" "affs" "bfs" "befs" "cramfs" "efs" "exofs" "freevxfs"
    "gfs2" "hfs" "hpfs" "jfs" "minix" "nilfs2" "omfs" "qnx4" "qnx6"
    "sysv" "ufs"
    # Network/Other
    "ksmbd" "tipc" "sctp" "dccp" "rds"
  ];
  boot.kernel.sysctl = {
    "kernel.kptr_restrict" = 2;
    "kernel.dmesg_restrict" = 1;
    "kernel.yama.ptrace_scope" = 2;
    "net.ipv4.conf.all.log_martians" = 1;

This file has been truncated. show original

Unfortunately this doesnt work, audit complains:

warning: the following units failed: audit-rules-nixos.service
× audit-rules-nixos.service - Load Audit Rules
Loaded: loaded (/etc/systemd/system/audit-rules-nixos.service; enabled; preset: ignored)
Active: failed (Result: exit-code) since Sun 2026-02-01 07:31:45 GMT; 1s ago
Invocation: b6d8f2649b304f38aca1ff7c5abfb73d
Process: 126774 ExecStart=/nix/store/i3sjj0gnn3g3n9ywl0hvnpararqvc80n-audit-4.1.2-unstable-2025-09-06-bin/bin/auditctl -R /nix/store/qzxv8pp2zsgba4bmsqwqscyg3cmrjyab-audit.rules/audit.rules (code=exited, status=1/FAILURE)
Process: 126781 ExecStopPost=/nix/store/i3sjj0gnn3g3n9ywl0hvnpararqvc80n-audit-4.1.2-unstable-2025-09-06-bin/bin/auditctl -e 0 (code=exited, status=255/EXCEPTION)
Main PID: 126774 (code=exited, status=1/FAILURE)
IP: 0B in, 0B out
IO: 160K read, 0B written
Mem peak: 2.7M
CPU: 10ms

Feb 01 07:31:45 dinth-nixos-desktop systemd[1]: Starting Load Audit Rules...
Feb 01 07:31:45 dinth-nixos-desktop auditctl[126774]: No rules
Feb 01 07:31:45 dinth-nixos-desktop auditctl[126774]: There was an error in line 2 of /nix/store/qzxv8pp2zsgba4bmsqwqscyg3cmrjyab-audit.rules/audit.rules
Feb 01 07:31:45 dinth-nixos-desktop systemd[1]: audit-rules-nixos.service: Main process exited, code=exited, status=1/FAILURE
Feb 01 07:31:45 dinth-nixos-desktop auditctl[126781]: There was an error while processing parameters
Feb 01 07:31:45 dinth-nixos-desktop systemd[1]: audit-rules-nixos.service: Control process exited, code=exited, status=255/EXCEPTION
Feb 01 07:31:45 dinth-nixos-desktop systemd[1]: audit-rules-nixos.service: Failed with result 'exit-code'.
Feb 01 07:31:45 dinth-nixos-desktop systemd[1]: Failed to start Load Audit Rules.

Looking at the contents of the audit configuration it contains:

❄  michal …/ROMs/Amiga/roms   07:20  ❯cat /nix/store/qzxv8pp2zsgba4bmsqwqscyg3cmrjyab-audit.rules/audit.rules
1 -D
2 -b 1024
3 -f 1
4 -r 0
5 -a exclude,always -F msgtype=SERVICE_START
6 -a exclude,always -F msgtype=SERVICE_STOP
7 - exclude,always -F msgtype=BPF
8 -w /etc/apparmor/ -p wa -k apparmor_changes
9 -w /etc/apparmor.d/ -p wa -k apparmor_changes
10 -a exit,always -F arch=b64 -S init_module -S finit_module -k module_insertion
11 -a exit,always -F arch=b32 -S init_module -S finit_module -k module_insertion
12 -a exit,always -F arch=b64 -C auid!=euid -F auid!=unset -F euid=0 -S execve -k privesc_execve
13 -a exit,always -F arch=b32 -C auid!=euid -F auid!=unset -F euid=0 -S execve -k privesc_execve
14 -w /etc/nixos/ -p wa -k nixos-config
15 -w /etc/passwd -p wa -k identity
16 -w /etc/group -p wa -k identity
17 -w /etc/shadow -p wa -k identity
18 -w /run/wrappers/bin/doas -p x -k privileged
19
20 -e 1

and it looks like the problematic lines are the first 4 ones - which are automatically generated by nixOS, regardless of what i put in security.audit.rules.
Is this a nixos bug or am i doing something wrong here?