Improve logic for when zfs_acl_map_modify modifies ACLs on read.
Big picture, we determine whether the ACL entry has POSIX write
(as set via chmod/fchmod) and then map it to the equivalent of
GENERIC_WRITE in the resulting security descriptor. This gives more
consistent ACL behavior in these edge cases, and is critical to
allowing users to manage directories auto-generated by vfs_recycle.