From 53c84ed4f075833c0af22125e6354f12b901b119 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 9 Apr 2015 09:55:12 -0700
Subject: [PATCH] isolated_app: allow app_data_file lock

Chrome's WebSQL implementation works by running sqlite in the
sandboxed renderer process, and sqlite expects to be able to
call flock() on the database file.

Bug: 20134929
Change-Id: Id33a2cd19b779144662056c6f3aba3365b0a2a54
---
 isolated_app.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/isolated_app.te b/isolated_app.te
index 48bf3defc..c3685279f 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -13,7 +13,7 @@ type isolated_app, domain;
 app_domain(isolated_app)
 
 # Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { read write getattr };
+allow isolated_app app_data_file:file { read write getattr lock };
 
 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;
-- 
GitLab