I guess I disagree about where we should start. Answering the question you just posted sounds rather difficult and any sort of precise list the subject of much discussion/debate.
I am personally more interested specifying a reusable mechanism for modeling these design boundaries which works for arbitrary Rust crates and
std alike than answering questions like “what should the boundaries for std be?”. That feels a bit like putting the cart before the horse, as the answer to that question seems to depend on exactly what the question is.
To answer your question in broad strokes:
std is already broken down into relevant modules and tagged with existing features. I think you start with a list that’s roughly shaped to how
std is implemented today, and potentially coalesce subsystems in the event there’s consensus that there are trivial escalations between them to the point that modeling them separately does not provide any value.
While I agree there might be merit in collapsing
command, I think there are also advantages to keeping them separate. Is an argument like "a Linux specific API can be used to escalate
net" a sufficient reason to collapse them or, failing that, make one a dependency of the other? I think that’s debatable. I also think this is maybe not the time and place to have that particular debate.
Mainly that I want to point out that the fact I think it’s incorrect to say that because a privilege escalation path between two proposed permissions exists in a particular context that they are “exactly the same thing”. As I pointed out earlier, there is (or was) an escalation path between
cmd for users running an unauthenticated Redis instance on their local computer. Does this mean separating the
cmd features/permissions provides no value or is misleading to users? That’s debatable, but personally I think the answer is “no”.
Finally, I again want to point out the danger that without sufficiently fine-grained authority, crates will be given too much authority, and that will result in vulnerabilities that could’ve been prevented by a more least authority approach.