fix(drivers): filter bind-backed named volumes

[elezar]

Summary

Add Podman named-volume inspection so OpenShell can detect local-driver volumes created with host bind options. Podman now rejects bind-backed named volumes unless [openshell.drivers.podman].enable_bind_mounts = true, matching the Docker driver behavior added with the initial driver-config volume mount support.

This PR also tightens both Docker and Podman bind-backed volume detection so comma-separated local-driver o=... options containing either bind or rbind are treated as host bind mounts.

Related Issue

Follow-up to #1785.

Changes

• Added typed Podman volume inspect parsing for Driver and Options.
• Replaced existence-only Podman volume validation with inspect-based bind-backed filtering.
• Updated Docker and Podman bind-backed volume detection to recognize both bind and rbind mount options.
• Added unit tests for Podman volume inspect parsing, bind-backed volume detection, and enabled/disabled validation paths.
• Added Docker and Podman focused tests for rw,rbind local-driver volume options.
• Updated architecture, driver README, gateway config, and compute-driver docs.

Testing

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable)

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[elezar]

cc @drew for explicit visibility on this follow-up Podman bind-backed volume filtering PR.

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-1861.docs.buildwithfern.com/openshell

[elezar]

gator-agent

PR Review Status

Validation: this is maintainer-authored, project-valid Podman driver security/behavior work. It is a small focused follow-up to make Podman local-driver bind-backed named volumes require the same unsafe operator opt-in as direct bind mounts and Docker bind-backed volumes.
Head SHA: c9095c4943fdc9837a3f301babcfa1536c62a0b2

Review findings:

• Blocking: crates/openshell-driver-podman/src/driver.rs:60 only treats o=bind as bind-backed. Podman also supports recursive bind through rbind, so a local-driver volume created with o=rbind can expose a host path inside the sandbox while [openshell.drivers.podman].enable_bind_mounts = false. Please treat both bind and rbind as bind-backed, preferably with case-insensitive local driver matching, and add focused tests for o=rw,rbind plus the disabled validation path. This is a default-deny bypass of the sandbox filesystem boundary. CWE-284 / CWE-269.

Docs: Fern reference docs were updated in existing pages; no navigation change appears needed.
E2E: test:e2e is being applied because this changes Podman driver mount behavior.

Next state: gator:in-review

[github-actions]

Label test:e2e applied for c9095c4. Open the existing run and click Re-run all jobs to execute with the label set. The run will execute the standard E2E suite after building the required gateway and supervisor images once. The matching required CI gate status on this PR will flip green automatically once the run finishes.

[elezar]

gator-agent

PR Review Status

Validation: this is maintainer-authored, project-valid Podman driver security/behavior work. It is a small focused follow-up to make Podman local-driver bind-backed named volumes require the same unsafe operator opt-in as direct bind mounts and Docker bind-backed volumes. Head SHA: c9095c4943fdc9837a3f301babcfa1536c62a0b2

Review findings:

• Blocking: crates/openshell-driver-podman/src/driver.rs:60 only treats o=bind as bind-backed. Podman also supports recursive bind through rbind, so a local-driver volume created with o=rbind can expose a host path inside the sandbox while [openshell.drivers.podman].enable_bind_mounts = false. Please treat both bind and rbind as bind-backed, preferably with case-insensitive local driver matching, and add focused tests for o=rw,rbind plus the disabled validation path. This is a default-deny bypass of the sandbox filesystem boundary. CWE-284 / CWE-269.

Docs: Fern reference docs were updated in existing pages; no navigation change appears needed. E2E: test:e2e is being applied because this changes Podman driver mount behavior.

Next state: gator:in-review

Does Docker also support rbind, meaning that Docker's implementaiton would ALSO need to be updated?

[elezar]

gator-agent

Re-check After Author Update

I re-evaluated latest head c9095c4943fdc9837a3f301babcfa1536c62a0b2 after elezar's 2026-06-10 21:40 UTC question about whether Docker also supports rbind.

Disposition: needs follow-up.

Remaining items:

• Yes, Docker local-driver volume options can use recursive bind semantics too, and the current Docker helper only checks o=bind. The same class of host bind exposure should be handled for Docker as well.
• For this Podman-focused PR, the blocking item remains: treat Podman local-driver o=rbind as bind-backed, keep the local driver match robust, and add focused disabled-validation coverage. To close the broader class, either include the analogous Docker rbind handling/tests in this PR or link a maintainer-accepted follow-up for Docker.

Next state: gator:in-review

[elezar]

Addressed Gator’s rbind blocker in d21b5f2. Both Docker and Podman now treat comma-separated o=... entries containing either bind or rbind as bind-backed, with focused tests for rw,rbind; Podman also has a disabled-validation-path test for the recursive bind case.

[elezar]

gator-agent

Re-check After Author Update

I re-evaluated latest head d21b5f2f280d634e9f510c1312e9582caa3c329b after elezar's 2026-06-11 06:51 UTC update saying the rbind blocker was addressed.

Disposition: resolved.

Remaining items:

• No blocking review items remain. The independent review confirmed that both Docker and Podman now treat comma-separated o=... entries containing bind or rbind as bind-backed, and Podman includes disabled-validation-path coverage for the recursive bind case.
• Nonblocking suggestion: consider making the Docker/Podman local driver comparison case-insensitive for defensive robustness.

Validation: maintainer-authored Podman/Docker driver security behavior follow-up for bind-backed named volumes.
Docs: Fern reference docs were updated in existing pages; no navigation change appears needed.
Checks: OpenShell / Branch Checks, OpenShell / Helm Lint, DCO, and OpenShell / E2E are green for the current head.
E2E: test:e2e is applied and the required E2E gate is green.

Next state: gator:approval-needed

Human maintainer approval or merge decision is now required.

[drew]

Looks good!

[elezar]

gator-agent

Monitoring Complete

Monitoring is complete because this PR has merged.

Final status: latest gator state was gator:approval-needed; required checks were green and the PR merged at 2026-06-11T15:03:34Z.

I removed the active gator:* label because there is nothing left for gator to monitor on this PR.