diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 461b53e03..d0c81e4ff 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -64,6 +64,8 @@
     overlayfs_file
     recovery_socket
     role_service
+    rss_hwm_reset
+    rss_hwm_reset_exec
     runtime_service
     super_block_device
     system_lmk_prop
diff --git a/private/file_contexts b/private/file_contexts
index fac31a087..0d0835d28 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -251,6 +251,7 @@
 /system/bin/usbd   u:object_r:usbd_exec:s0
 /system/bin/inputflinger u:object_r:inputflinger_exec:s0
 /system/bin/logd        u:object_r:logd_exec:s0
+/system/bin/rss_hwm_reset	u:object_r:rss_hwm_reset_exec:s0
 /system/bin/perfetto        u:object_r:perfetto_exec:s0
 /system/bin/traced        u:object_r:traced_exec:s0
 /system/bin/traced_probes        u:object_r:traced_probes_exec:s0
diff --git a/private/rss_hwm_reset.te b/private/rss_hwm_reset.te
new file mode 100644
index 000000000..30818c2fa
--- /dev/null
+++ b/private/rss_hwm_reset.te
@@ -0,0 +1,14 @@
+type rss_hwm_reset_exec, system_file_type, exec_type, file_type;
+
+# Start rss_hwm_reset from init.
+init_daemon_domain(rss_hwm_reset)
+
+# Search /proc/pid directories.
+allow rss_hwm_reset domain:dir search;
+
+# Write to /proc/pid/clear_refs of other processes.
+# /proc/pid/clear_refs is S_IWUSER, see: fs/proc/base.c
+allow rss_hwm_reset self:global_capability_class_set { dac_override };
+
+# Write to /prc/pid/clear_refs.
+allow rss_hwm_reset domain:file w_file_perms;
diff --git a/public/domain.te b/public/domain.te
index d0e4e41fe..ab6610f14 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1354,6 +1354,7 @@ define(`dac_override_allowed', `{
   perfprofd
   postinstall_dexopt
   recovery
+  rss_hwm_reset
   sdcardd
   tee
   ueventd
diff --git a/public/rss_hwm_reset.te b/public/rss_hwm_reset.te
new file mode 100644
index 000000000..163e1acde
--- /dev/null
+++ b/public/rss_hwm_reset.te
@@ -0,0 +1,2 @@
+# rss_hwm_reset resets RSS high-water mark counters for all procesess.
+type rss_hwm_reset, domain, coredomain, mlstrustedsubject;