add support in zfs for aclmode=restricted
ZFS ACL's are quite powerful and very useful; however, there is currently no way to protect them from being destroyed or corrupted by a drive-by chmod. There is virtually no way to simply avoid chmod. Whether it's a user or junior admin who simply doesn't know any better, or a closed binary application that is not ACL aware and uses chmod under the hood, or even the issue with NFS exclusive open that stomps on inherited ACL's, one way or another at some point your carefully constructed ACL is going to get mangled.
To prevent this, I propose adding an additional aclmode "deny", which would restrict any attempt to chmod a zfs object with a nontrivial ACL. An object with a nontrivial ACL can only have its permissions changed via ACL operations, not legacy chmod. Interestingly, the commercial EMC Isilon storage appliance supports something like this, at least based on the options listed in a demonstration (we never actually came to terms on the ridiculous NDA they wanted to actually evaluate the product, so didn't get to try it out).
I'm going to put together an initial implementation.