Don't probe disk contents of loop* or xvd*

Adds a standalone rule to the very top of 60-persistent-storage.rules.

system-config/60-persistent-storage.rules

@@ -1,3 +1,9 @@
+# Qubes: Prevent probing of domU controlled disk contents. Note that it would
+# nevertheless be insecure to attach block devices from domU to dom0 (xvd*) due
+# to automatic kernel partition table scanners -- which are disabled for loop*
+# devices created without LO_FLAGS_PARTSCAN.
+SUBSYSTEM=="block", KERNEL=="loop*|xvd*", GOTO="persistent_storage_end"
+
 # do not edit this file, it will be overwritten on update
 
 # persistent storage links: /dev/disk/{by-id,by-uuid,by-label,by-path}