Improve handling of restricted Admin API policy

[marmarek]

The problem you're addressing (if any) Writing policy for management VM for qvm-* tools to work require multiple trade-offs. For example:

• full list of VMs needs to be allowed
• full list of labels and other global objects needs to be allowed

Describe the solution you'd like

1. Limit admin.vm.List output (which when directed to dom0 - list all the VMs) to a list of VMs explicitly allowed in admin.vm.List policy, even when the call is to dom0.
2. When information about a VM is retrieved through Admin API (for example a property referencing another VM), do not try to list that VM.

Where is the value to a user, and who might that user be? Ease writing concise and precise Admin API policy. Basically, remove catches mentioned in https://www.qubes-os.org/news/2017/06/27/qubes-admin-api/#simple-management-vm-demo

Related, non-duplicate issues

3293

[marmarek]

Generally admin.Events is a more tricky than that, because it also disclose a bunch of other information - like properties values when it being set. This could be handled in similar manner (analyze policy for admin.vm.property.Get with appropriate argument for example), but this is left for future extension, not part of this issue.