Improve auto_cleanup mechanism

[DemiMarie]

The problem you're addressing (if any)
Some DispVMs are meant to be removed after they die, and leave no trace of their existence (except possibly logs). These include ones created by qrexec and by SaltStack. Others are somewhat more permanent: while the VM itself has no persistent state, some metadata (device assignments, qrexec policies, etc) should be preserved after the VM shuts off. For example, this includes sys-usb if it is a DispVM.

Describe the solution you'd like
I propose that the qube name be used to distinguish these cases. Under this proposal, qube names that begin with disp are reserved as follows:

• Qubes with names that begin with disp cannot be created explicitly via the Admin API, or by qvm-create. They can only be created by qubesd itself, and are always disposable.
• qubesd uses names beginning with disp for all DisposableVMs that it creates itself, as opposed to qubes created explicitly via the Admin API. In particular, these can be created by
  • qrexec with a DispVM target
  • A new API call to create a management VM, which will be used by SaltStack and other management tools.
• Qubes with names that start with disp are killed when the API call that created them ends. This matches the current behavior of qrexec targeting a DispVM.
• Whenever a qube with a name that starts with disp dies, it is cleaned up as follows
  1. All qrexec policy rules mentioning it are purged.
  2. The VM’s storage is removed.
  3. The VM record is purged from qubes.xml.

Where is the value to a user, and who might that user be?
This mostly benefits users who make heavy use of SaltStack or qvm-run --dispvm. While the second case will go away in Qubes 4.1, the first will not, and has similar problems.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
This is related to a bug reported against Docker. Both involved clients needing to clean up temporary resources after use, even though the server could have done that just as easily.

Relevant documentation you've consulted
None so far

Related, non-duplicate issues
#4253

[marmarek]

There is a proper for marking such VMs already: a DispVM class has a auto_cleanup property which means: remove the VM when it's terminated. I think it's much more elegant than reserving some particular names.
In relation to this issue, the mechanism should be extended to:

• remove also qrexec policy rules added by qubesctl
• remove all kind of logs and other related data as listed in Reduce leakage of disposable VM content and history into dom0 filesystem #4972
• trigger the cleanup also on qrexec call termination (currently done when the call is originating from a VM, but if it's from dom0, then the calling process is responsible for this)

[brendanhoar]

@marmarek if I may, I would suggest a bullet point covering cleanup of some of these remnants even if the system were not shutdown cleanly. e.g. volatile storage that was not removed in the last session.

[marmarek]

I'd prefer this (removing DispVM data after unclean shutdown) as a separate issue.
Some of it is already done, but apparently not everything.