isolated_app: allow app_data_file lock

Chrome's WebSQL implementation works by running sqlite in the
sandboxed renderer process, and sqlite expects to be able to
call flock() on the database file.

Bug: 20134929
Change-Id: Id33a2cd19b779144662056c6f3aba3365b0a2a54
diff --git a/isolated_app.te b/isolated_app.te
index 48bf3de..c368527 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -13,7 +13,7 @@
 app_domain(isolated_app)
 
 # Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { read write getattr };
+allow isolated_app app_data_file:file { read write getattr lock };
 
 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;