Properly evaluate edge cases where user credential may grant
capability to override DAC in various situations. Switch to
using ns-aware checks rather than capable().

Expand optimization allow bypass of zfs_zaccess() in case of
trivial ACL if MAY_OPEN is included in requested mask. This
will be evaluated in generic_permission() check, which is
RCU walk safe. This means that in most cases evaluating
permissions on boot volume with NFSv4 ACLs will follow the
fast path on checking inode permissions.
Signed-off-by: Andrew Walker <awalker@ixsystems.com>