Mark public API functions as unsafe. (#90)

* Mark public API functions as unsafe.

This marks the public hostcalls functions as unsafe.

This is generalizing from Rust's `from_raw_fd` function, which is
unsafe. The observation is that nothing prevents code using this
function from passing a bogus or stale dangling file descriptor and
corrupting an arbitrary open stream.

Technically, some of these functions don't use file descriptors, such as
random, clocks, and a few others. However I expect that in the future,
random and clocks will switch to using file descriptors anyway, and it
keeps the macro definitions simpler if we only have to handle one form.

* Mark WasiCtx functions that operate on file descriptors unsafe too.

* `fd_filestat_set_times_impl` doesn't need to be unsafe.

* Remove unnecessary unsafes

src/ctx.rs

@@ -163,11 +163,11 @@ impl WasiCtx {
             .and_then(|ctx| ctx.build())
     }
 
-    pub(crate) fn contains_fd_entry(&self, fd: host::__wasi_fd_t) -> bool {
+    pub(crate) unsafe fn contains_fd_entry(&self, fd: host::__wasi_fd_t) -> bool {
         self.fds.contains_key(&fd)
     }
 
-    pub(crate) fn get_fd_entry(
+    pub(crate) unsafe fn get_fd_entry(
         &self,
         fd: host::__wasi_fd_t,
         rights_base: host::__wasi_rights_t,
@@ -180,7 +180,7 @@ impl WasiCtx {
         }
     }
 
-    pub(crate) fn get_fd_entry_mut(
+    pub(crate) unsafe fn get_fd_entry_mut(
         &mut self,
         fd: host::__wasi_fd_t,
         rights_base: host::__wasi_rights_t,