From ae7656e348e643d9595820f35771c69e348becd9 Mon Sep 17 00:00:00 2001
From: Rusty Bird <rustybird@openmailbox.org>
Date: Sun, 26 Jun 2016 12:51:20 +0000
Subject: [PATCH] Don't probe disk contents of loop* or xvd*

Adds a standalone rule to the very top of 60-persistent-storage.rules.
---
 system-config/60-persistent-storage.rules | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/system-config/60-persistent-storage.rules b/system-config/60-persistent-storage.rules
index 5ab03fc..38085c2 100644
--- a/system-config/60-persistent-storage.rules
+++ b/system-config/60-persistent-storage.rules
@@ -1,3 +1,9 @@
+# Qubes: Prevent probing of domU controlled disk contents. Note that it would
+# nevertheless be insecure to attach block devices from domU to dom0 (xvd*) due
+# to automatic kernel partition table scanners -- which are disabled for loop*
+# devices created without LO_FLAGS_PARTSCAN.
+SUBSYSTEM=="block", KERNEL=="loop*|xvd*", GOTO="persistent_storage_end"
+
 # do not edit this file, it will be overwritten on update
 
 # persistent storage links: /dev/disk/{by-id,by-uuid,by-label,by-path}