fix: change polkit action from auth_admin_keep to auth_admin

[mhduiy]

Changed the polkit action for enabling and disabling readonly protection from auth_admin_keep to auth_admin. This modification ensures that administrative authentication is required each time the action is performed, rather than retaining authorization for a period after initial authentication. This enhances security by preventing potential unauthorized use of these sensitive system operations after an initial authorized session.

Log: Changed authentication policy for enabling/disabling readonly protection to require authentication each time

fix: 将 polkit 操作从 auth_admin_keep 更改为 auth_admin

将启用和禁用只读保护的 polkit 操作从 auth_admin_keep 更改为 auth_admin。 此修改确保每次执行操作时都需要管理认证，而不是在初始认证后保留一段时间的
授权。这增强了安全性，防止在初始授权会话后可能发生的对这些敏感系统操作的
未授权使用。

Log: 更改启用/禁用只读保护的认证策略，要求每次操作都需要认证

PMS: BUG-355103

Summary by Sourcery

Bug Fixes:

• Adjust polkit policy for toggling readonly protection to use per-action admin authentication instead of persistent authorization.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Updates the polkit policy for the DDE daemon readonly protection operations so that each enable/disable action now requires fresh admin authentication instead of reusing a cached authorization, tightening security around these sensitive system operations.

File-Level Changes

Change	Details	Files
Require fresh administrator authentication for enabling/disabling readonly protection via polkit.	Change the polkit action authentication level from auth_admin_keep to auth_admin for readonly protection operations Ensure that cached administrative authorization is no longer sufficient to repeatedly toggle readonly protection	misc/polkit-action/org.deepin.dde.daemon.system.policy.in

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• Check whether there are other polkit actions in the same policy file (or related system operations) that should also switch from auth_admin_keep to auth_admin for consistent security behavior.
• Consider whether the more frequent auth prompts impact any existing UI flows or long-running operations using this action, and if so, ensure the caller side handles repeated auth failures or cancellations gracefully.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Check whether there are other polkit actions in the same policy file (or related system operations) that should also switch from `auth_admin_keep` to `auth_admin` for consistent security behavior.
- Consider whether the more frequent auth prompts impact any existing UI flows or long-running operations using this action, and if so, ensure the caller side handles repeated auth failures or cancellations gracefully.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[robertkill]

LGTM ✅

这是一个合理的安全修复：

• ✅ 修复了 auth_admin_keep 导致的会话保留问题（BUG-355103）
• ✅ 变更范围小（+2/-2行），风险低
• ✅ CI测试全部通过
• ✅ 提交信息清晰，中英文双语描述完整

建议等待OBS CI完成后合并。

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mhduiy, robertkill

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment