diff --git a/isolated_app.te b/isolated_app.te
index 48bf3defc1abd28c58308d2c8b890087a13c41e9..c3685279f3a3c0586af4e70580482da756753b82 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -13,7 +13,7 @@ type isolated_app, domain;
 app_domain(isolated_app)
 
 # Access already open app data files received over Binder or local socket IPC.
-allow isolated_app app_data_file:file { read write getattr };
+allow isolated_app app_data_file:file { read write getattr lock };
 
 allow isolated_app activity_service:service_manager find;
 allow isolated_app display_service:service_manager find;