Make DispVMs started from a DispVM to use the same DVM template by default

If a specific DVM template is used for given DispVM, make new DispVMs
called from it use the same DVM template (unless explicitly overridden).
This prevent various isolation bypass cases, like using a chain of
DispVMs to access network.

qubes/vm/dispvm.py

@@ -45,6 +45,12 @@ class DispVM(qubes.vm.qubesvm.QubesVM):
         default=(lambda self: not self.auto_cleanup),
         doc='If this domain is to be included in default backup.')
 
+    default_dispvm = qubes.VMProperty('default_dispvm',
+        load_stage=4,
+        allow_none=True,
+        default=(lambda self: self.template),
+        doc='Default VM to be used as Disposable VM for service calls.')
+
     def __init__(self, app, xml, *args, **kwargs):
         self.volume_config = {
             'root': {