Fix IO safety in `unix.rs`

[beetrees]

As well as using BorrowedFd as opposed to c_int in more places, this PR fixes two related bugs:

• Unix Client::configure() wouldn't ensure the file descriptors passed to Command::configure remained valid until the command was actually spawned. This meant that if the Client was dropped before the Command was spawned, the set_cloexec call could end up hitting an unrelated file descriptor (which the spawned process would then treat as a jobserver).
• Unix string_arg uses the FDs from ClientCreationArg::Fds to put in the environment variables, but before this PR Client::configure would use the FDs from self.read/self.write instead. This would result in the wrong FDs getting passed to set_cloexec. This was basically harmless (apart from having the use-after-drop problem) as the only time the two sets of FDs differ is when the jobserver has been inherited from the environment, in which case the FDs are going to be not-CLOEXEC anyway.

I've also removed the unsafe from the definitions of Client::mk and Client::from_fds as they don't appear to have any safety requirements.

[beetrees]

So the behaviour of spawning a configured command after the (not-inherited) jobserver Client is dropped differs:

• On Windows: The command spawns successfully but attempting to inherit the jobserver will error.
• On Unix before this PR: The command would either fail to spawn (if no FDs had been opened in place of the FDs which were closed) or would spawn successfully with the child process being passed whatever FDs happened to have the same number as the former pipe ends from the parent process.
• On Unix after this PR: The command spawns successfully and the jobserver is inheritable and usable.

[beetrees]

(I've also fixed an unused import warning in the unix.rs tests on Linux)

[NobodyXu]

* On Windows: The command spawns successfully but attempting to inherit the jobserver will error.

That's unfortunate since windows don't have pre_exec.

I have a fork of jobserver, which I workaround this issue by forcing user to pass in a closure and spawn the process there Client::configure_and_run:

pub fn configure_and_run<Cmd, F, R>(&self, cmd: Cmd, f: F) -> Result<R>
where
    Cmd: Command,
    F: FnOnce(&mut Cmd) -> Result<R>;

* On Unix after this PR: The command spawns successfully and the jobserver is inheritable and usable.

I was planning to open a PR to optimize away the pre_exec, if the Client is created from_env, since the original fds inherited from the environment should be valid.

Though that'd mean the jobserver would be inherited without Client::configure