[lint: unsafe_in_unsafe_fn] A lint which triggers on unsafe operations in `unsafe fn`

[Centril]

As a follow up to fixing #69173 via #69245, we would like to see a lint, starting as allow-by-default which would trigger on the following situation:

#![warn(unsafe_in_unsafe_fn)]

unsafe fn foo() {} // Stand-in for any unsafe operation.
unsafe fn bar() {
    foo();
    //~^ WARN unsafe operation directly in `unsafe fn`
    //~| HELP move the operation into an `unsafe { ... }` block.
}

Eventually, over time, we would like to consider moving this lint to be warn-by-default, but we would like to give the ecosystem time to adapt before doing so. We have not discussed what the timescale of "eventually" entails.

Context (this has already been tentatively accepted by the language team in meetings, though not FCP):

• RFC for unsafe blocks in unsafe fn rfcs#2585 (comment)
• RFC for unsafe blocks in unsafe fn rfcs#2585 (comment)

cc @rust-lang/lang @RalfJung

This issue has been assigned to @LeSeulArtichaut via this comment.

[LeSeulArtichaut]

Working on this.
@rustbot claim

[programmerjake]

This would be very useful for implementing an extensive C FFI API since most of the functions are unsafe externally but the functions' bodies don't necessarily need any unsafe code. Once this is stabilized, I will definitely be using this in Kazan, the Vulkan driver I'm writing.

[RalfJung]

I updated the RFC to discuss the new proposed lint and the interaction with the "unnecessary unsafe" lint. See rust-lang/rfcs#2585 (comment).