fix(podman): filter bind-backed named volumes

[elezar]

Summary

Add Podman named-volume inspection so OpenShell can detect local-driver volumes created with host bind options. This makes Podman reject bind-backed named volumes unless [openshell.drivers.podman].enable_bind_mounts = true, matching the Docker driver behavior added with the initial driver-config volume mount support.

Related Issue

Follow-up to #1785.

Changes

• Added typed Podman volume inspect parsing for Driver and Options.
• Replaced existence-only Podman volume validation with inspect-based bind-backed filtering.
• Added unit tests for volume inspect parsing, bind-backed volume detection, and enabled/disabled validation paths.
• Updated architecture, driver README, gateway config, and compute-driver docs.

Testing

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable)

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[elezar]

cc @drew for explicit visibility on this follow-up Podman bind-backed volume filtering PR.

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-1861.docs.buildwithfern.com/openshell

[elezar]

gator-agent

PR Review Status

Validation: this is maintainer-authored, project-valid Podman driver security/behavior work. It is a small focused follow-up to make Podman local-driver bind-backed named volumes require the same unsafe operator opt-in as direct bind mounts and Docker bind-backed volumes.
Head SHA: c9095c4943fdc9837a3f301babcfa1536c62a0b2

Review findings:

• Blocking: crates/openshell-driver-podman/src/driver.rs:60 only treats o=bind as bind-backed. Podman also supports recursive bind through rbind, so a local-driver volume created with o=rbind can expose a host path inside the sandbox while [openshell.drivers.podman].enable_bind_mounts = false. Please treat both bind and rbind as bind-backed, preferably with case-insensitive local driver matching, and add focused tests for o=rw,rbind plus the disabled validation path. This is a default-deny bypass of the sandbox filesystem boundary. CWE-284 / CWE-269.

Docs: Fern reference docs were updated in existing pages; no navigation change appears needed.
E2E: test:e2e is being applied because this changes Podman driver mount behavior.

Next state: gator:in-review

[github-actions]

Label test:e2e applied for c9095c4. Open the existing run and click Re-run all jobs to execute with the label set. The run will execute the standard E2E suite after building the required gateway and supervisor images once. The matching required CI gate status on this PR will flip green automatically once the run finishes.

[elezar]

gator-agent

PR Review Status

Validation: this is maintainer-authored, project-valid Podman driver security/behavior work. It is a small focused follow-up to make Podman local-driver bind-backed named volumes require the same unsafe operator opt-in as direct bind mounts and Docker bind-backed volumes. Head SHA: c9095c4943fdc9837a3f301babcfa1536c62a0b2

Review findings:

• Blocking: crates/openshell-driver-podman/src/driver.rs:60 only treats o=bind as bind-backed. Podman also supports recursive bind through rbind, so a local-driver volume created with o=rbind can expose a host path inside the sandbox while [openshell.drivers.podman].enable_bind_mounts = false. Please treat both bind and rbind as bind-backed, preferably with case-insensitive local driver matching, and add focused tests for o=rw,rbind plus the disabled validation path. This is a default-deny bypass of the sandbox filesystem boundary. CWE-284 / CWE-269.

Docs: Fern reference docs were updated in existing pages; no navigation change appears needed. E2E: test:e2e is being applied because this changes Podman driver mount behavior.

Next state: gator:in-review

Does Docker also support rbind, meaning that Docker's implementaiton would ALSO need to be updated?

[elezar]

gator-agent

Re-check After Author Update

I re-evaluated latest head c9095c4943fdc9837a3f301babcfa1536c62a0b2 after elezar's 2026-06-10 21:40 UTC question about whether Docker also supports rbind.

Disposition: needs follow-up.

Remaining items:

• Yes, Docker local-driver volume options can use recursive bind semantics too, and the current Docker helper only checks o=bind. The same class of host bind exposure should be handled for Docker as well.
• For this Podman-focused PR, the blocking item remains: treat Podman local-driver o=rbind as bind-backed, keep the local driver match robust, and add focused disabled-validation coverage. To close the broader class, either include the analogous Docker rbind handling/tests in this PR or link a maintainer-accepted follow-up for Docker.

Next state: gator:in-review