CVE-2020-25720 s4-acl: Test Create Child permission should not allow full write to all attributes

Up to now, the rights to modify an attribute were not checked during an LDAP
add operation. This means that even if a user has no right to modify
an attribute, they can still specify any value during object creation,
and the validated writes were not checked.
This patch includes tests for the proposed change of behavior.
test_add_c3 and c4 pass, because mandatory attributes can still be
set, and in the old behavior SD permissions were irrelevant

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810

Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/knownfail.d/bug-14810

@@ -0,0 +1,29 @@
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_c1\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_c2\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_c5\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_computer1\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_derived_computer\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_disallowed_attr\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_optional_attr\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_security_descriptor_dacl\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_security_descriptor_dacl_implicit\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_security_descriptor_empty\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_security_descriptor_explicit_right_owner_not_us\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_security_descriptor_explicit_right_sacl\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_security_descriptor_group\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_security_descriptor_group_explicit_right\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_security_descriptor_group_implicit\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_security_descriptor_implicit_right_optional_attr\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_security_descriptor_owner\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_security_descriptor_owner_explicit_right\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_security_descriptor_owner_implicit\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclAddTests.test_add_security_descriptor_sacl\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_dacl_explicit_computer\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_dacl_owner_computer_implicit_right_allowed\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_dacl_owner_computer_implicit_right_blocked\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_group_explicit_computer\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_admin_computer\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_explicit_computer\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_other_admin_computer\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_other_computer\(.*\)
+^samba4.ldap.acl.python\(.*\).__main__.AclModifyTests.test_modify_owner_other_user\(.*\)