current_exe changes

remove unsafe

remove incorrect doc

src/core/utils/sys.rs

@@ -30,12 +30,7 @@ pub fn maximize_fd_limit() -> Result<(), nix::errno::Errno> {
 
 /// Return a possibly corrected std::env::current_exe() even if the path is
 /// marked deleted.
-///
+pub fn current_exe() -> Result<PathBuf> {
-/// # Safety
-/// This function is declared unsafe because the original result was altered for
-/// security purposes, and altering it back ignores those urposes and should be
-/// understood by the user.
-pub unsafe fn current_exe() -> Result<PathBuf> {
 	let exe = std::env::current_exe()?;
 	match exe.to_str() {
 		| None => Ok(exe),

src/main/restart.rs

@@ -6,17 +6,7 @@ use tuwunel_core::{debug, info, utils};
 
 #[cold]
 pub(super) fn restart() -> ! {
-	// SAFETY: We have allowed an override for the case where the current_exe() has
+	let exe = utils::sys::current_exe().expect("program path must be available");
-	// been replaced or removed. By default the server will fail to restart if the
-	// binary has been replaced (i.e. by cargo); this is for security purposes.
-	// Command::exec() used to panic in that case.
-	//
-	// We can (and do) prevent that panic by checking the result of current_exe()
-	// prior to committing to restart, returning an error to the user without any
-	// unexpected shutdown. In a nutshell that is the execuse for this unsafety.
-	// Nevertheless, we still want a way to override the restart prevention (i.e.
-	// admin server restart --force).
-	let exe = unsafe { utils::sys::current_exe().expect("program path must be available") };
 	let envs = env::vars();
 	let args = env::args().skip(1);
 	debug!(?exe, ?args, ?envs, "Restart");