pam_fscrypt: make "lock_policies" the default behavior

pam_fscrypt: make "lock_policies" the default behavior

All pam_fscrypt configuration guides that I'm aware of say to use the
"lock_policies" option for the pam_fscrypt.so session hook.  The
Debian/Ubuntu pam-config-framework config file has it too.

Make locking the default behavior, since this is what everyone wants.

Existing configuration files that contain the "lock_policies" option
will continue to work, but that option won't do anything anymore.

(We could add an option "unlock_only" to restore the old default
behavior, but it's not clear that it would be useful.  So for
simplicity, leave it out for now.)