diff --git a/fs/Kconfig b/fs/Kconfig
index 562a57bc7d04ade30fc778af4568e836faf7592f..b8ef9f997548db2f1c7b2ab30eb5b2d2f9b37aa8 100644
--- a/fs/Kconfig
+++ b/fs/Kconfig
@@ -51,6 +51,7 @@ source "fs/btrfs/Kconfig"
 source "fs/nilfs2/Kconfig"
 source "fs/f2fs/Kconfig"
 source "fs/zonefs/Kconfig"
+source "fs/proc/memory_security/Kconfig"
 
 endif # BLOCK
 
diff --git a/fs/exec.c b/fs/exec.c
index 2f2b0acec4f01871d7eba80cbbae7ce16a462591..e7e431e2a479d8e35854ba2a8f4b2eb186c4e2dd 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -75,6 +75,7 @@
 #include "internal.h"
 
 #include <trace/events/sched.h>
+#include <linux/hck/lite_hck_ced.h>
 
 static int bprm_creds_from_file(struct linux_binprm *bprm);
 
@@ -1868,6 +1869,7 @@ static int bprm_execve(struct linux_binprm *bprm,
 	user_events_execve(current);
 	acct_update_integrals(current);
 	task_numa_free(current, false);
+	CALL_HCK_LITE_HOOK(ced_detection_lhck, current);
 	return retval;
 
 out:
diff --git a/fs/proc/Makefile b/fs/proc/Makefile
index bd08616ed8bad7937173183eb08634c9526a4e90..04a0dd7256c29d512d4fcec4ea659bc357fe286b 100644
--- a/fs/proc/Makefile
+++ b/fs/proc/Makefile
@@ -34,3 +34,4 @@ proc-$(CONFIG_PROC_VMCORE)	+= vmcore.o
 proc-$(CONFIG_PRINTK)	+= kmsg.o
 proc-$(CONFIG_PROC_PAGE_MONITOR)	+= page.o
 proc-$(CONFIG_BOOT_CONFIG)	+= bootconfig.o
+obj-$(CONFIG_MEMORY_SECURITY) += memory_security/
diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 3dd5be96691b4cc234454353ec1b8a324760e0c2..bd8285811728757693ee96a17c6a622280cf9dd1 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -25,6 +25,7 @@
 #include <asm/tlb.h>
 #include <asm/tlbflush.h>
 #include "internal.h"
+#include <linux/hck/lite_hck_hideaddr.h>
 
 #define SEQ_PUT_DEC(str, val) \
 		seq_put_decimal_ull_width(m, str, (val) << (PAGE_SHIFT-10), 8)
@@ -279,6 +280,7 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
 
 	start = vma->vm_start;
 	end = vma->vm_end;
+	CALL_HCK_LITE_HOOK(hideaddr_header_prefix_lhck, &start, &end, &flags, m, vma);
 	show_vma_header_prefix(m, start, end, flags, pgoff, dev, ino);
 	if (mm)
 		anon_name = anon_vma_name(vma);
diff --git a/include/uapi/asm-generic/mman-common.h b/include/uapi/asm-generic/mman-common.h
index 6ce1f1ceb432c64599f706b86e74a12581c2a54e..2b18883487ac92545cc82d7525b5b38a374cef72 100644
--- a/include/uapi/asm-generic/mman-common.h
+++ b/include/uapi/asm-generic/mman-common.h
@@ -33,6 +33,9 @@
 #define MAP_UNINITIALIZED 0x4000000	/* For anonymous mmap, memory could be
 					 * uninitialized */
 
+#define MAP_JIT 0x80000000 /* For JIT compiler which apply FORT_NONE memory
+								* and turn it into PORT_EXEC when code run */
+
 /*
  * Flags for mlock
  */
diff --git a/kernel/cred.c b/kernel/cred.c
index 64404d51c052785829a00428ea212e6a94603367..68e80acff29519c62fe0d14988f45da288860390 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c
@@ -19,6 +19,7 @@
 #include <linux/binfmts.h>
 #include <linux/cn_proc.h>
 #include <linux/uidgid.h>
+#include <linux/hck/lite_hck_ced.h>
 
 #if 0
 #define kdebug(FMT, ...)						\
@@ -390,6 +391,7 @@ int commit_creds(struct cred *new)
 	struct task_struct *task = current;
 	const struct cred *old = task->real_cred;
 
+	CALL_HCK_LITE_HOOK(ced_commit_creds_lhck, new);
 	kdebug("commit_creds(%p{%ld})", new,
 	       atomic_long_read(&new->usage));
 
diff --git a/kernel/exit.c b/kernel/exit.c
index 21a59a6e1f2e8941a314116e06b5337e1ff986dc..e2a70a9f07c016ce51281d8c2f5bcb1363d7639b 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -73,6 +73,8 @@
 #include <linux/uaccess.h>
 #include <asm/unistd.h>
 #include <asm/mmu_context.h>
+#include <linux/hck/lite_hck_jit_memory.h>
+#include <linux/hck/lite_hck_ced.h>
 
 /*
  * The default value should be high enough to not crash a system that randomly
@@ -811,6 +813,8 @@ void __noreturn do_exit(long code)
 	struct task_struct *tsk = current;
 	int group_dead;
 
+	CALL_HCK_LITE_HOOK(exit_jit_memory_lhck, current);
+
 	WARN_ON(irqs_disabled());
 
 	synchronize_group_exit(tsk, code);
@@ -890,6 +894,7 @@ void __noreturn do_exit(long code)
 
 	exit_tasks_rcu_start();
 	exit_notify(tsk, group_dead);
+	CALL_HCK_LITE_HOOK(ced_exit_lhck, tsk);
 	proc_exit_connector(tsk);
 	mpol_put_task_policy(tsk);
 #ifdef CONFIG_FUTEX
diff --git a/kernel/fork.c b/kernel/fork.c
index 486248a10b8b75497afdfe9cb3caca30450d3d7a..75f01159c909c0ee50d4cc2b0b1f5fc8fe8d5745 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -110,6 +110,7 @@
 
 #define CREATE_TRACE_POINTS
 #include <trace/events/task.h>
+#include <linux/hck/lite_hck_ced.h>
 
 /*
  * Minimum number of threads to boot the kernel
@@ -2942,6 +2943,7 @@ pid_t kernel_clone(struct kernel_clone_args *args)
 		task_unlock(p);
 	}
 
+	CALL_HCK_LITE_HOOK(ced_kernel_clone_lhck, p);
 	wake_up_new_task(p);
 
 	/* forking complete and child started to run, tell ptracer */
diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
index 15781acaac1ceec97fa2ae649d284c025693186e..945731754ff9ab2b2bd4156d6bedde0d6aa944d0 100644
--- a/kernel/nsproxy.c
+++ b/kernel/nsproxy.c
@@ -26,6 +26,7 @@
 #include <linux/syscalls.h>
 #include <linux/cgroup.h>
 #include <linux/perf_event.h>
+#include <linux/hck/lite_hck_ced.h>
 
 static struct kmem_cache *nsproxy_cachep;
 
@@ -240,6 +241,11 @@ void switch_task_namespaces(struct task_struct *p, struct nsproxy *new)
 {
 	struct nsproxy *ns;
 
+	int ret = 0;
+	CALL_HCK_LITE_HOOK(ced_switch_task_namespaces_lhck, new);
+	CALL_HCK_LITE_HOOK(ced_switch_task_namespaces_permission_lhck, new, &ret);
+	if (ret)
+		return;
 	might_sleep();
 
 	task_lock(p);
diff --git a/mm/mmap.c b/mm/mmap.c
index 9e018d8dd7d6930519760e8d96d02386294e4a68..fb20221968457c9a68f219bdece01b68f0178fb1 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -52,6 +52,7 @@
 #include <asm/cacheflush.h>
 #include <asm/tlb.h>
 #include <asm/mmu_context.h>
+#include <linux/hck/lite_hck_jit_memory.h>
 
 #define CREATE_TRACE_POINTS
 #include <trace/events/mmap.h>
@@ -1418,6 +1419,12 @@ unsigned long ksys_mmap_pgoff(unsigned long addr, unsigned long len,
 	}
 
 	retval = vm_mmap_pgoff(file, addr, len, prot, flags, pgoff);
+
+	if (!IS_ERR_VALUE(retval)) {
+		CALL_HCK_LITE_HOOK(check_jit_memory_lhck, current, fd, prot, flags, PAGE_ALIGN(len), &retval);
+		if (IS_ERR_VALUE(retval))
+			pr_info("JITINFO: jit request denied");
+	}
 out_fput:
 	if (file)
 		fput(file);
@@ -2629,6 +2636,11 @@ int do_vmi_munmap(struct vma_iterator *vmi, struct mm_struct *mm,
 	if (end == start)
 		return -EINVAL;
 
+	int errno = 0;
+	CALL_HCK_LITE_HOOK(delete_jit_memory_lhck, current, start, len, &errno);
+	if (errno)
+		return errno;
+
 	 /* arch_unmap() might do unmaps itself.  */
 	arch_unmap(mm, start, end);
 
diff --git a/mm/mprotect.c b/mm/mprotect.c
index b94fbb45d5c71f1d7a75828e780afd97616be135..569072a152ee5b88a97f722dfb5254c479a7e2c1 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -38,6 +38,7 @@
 #include <asm/tlb.h>
 
 #include "internal.h"
+#include <linux/hck/lite_hck_jit_memory.h>
 
 bool can_change_pte_writable(struct vm_area_struct *vma, unsigned long addr,
 			     pte_t pte)
@@ -701,6 +702,14 @@ static int do_mprotect_pkey(unsigned long start, size_t len,
 
 	start = untagged_addr(start);
 
+	if (prot & PROT_EXEC) {
+		CALL_HCK_LITE_HOOK(find_jit_memory_lhck, current, start, len, &error);
+		if (error) {
+			pr_info("JITINFO: mprotect protection triggered");
+			return error;
+		}
+	}
+
 	prot &= ~(PROT_GROWSDOWN|PROT_GROWSUP);
 	if (grows == (PROT_GROWSDOWN|PROT_GROWSUP)) /* can't be both */
 		return -EINVAL;
diff --git a/security/Kconfig b/security/Kconfig
index 52c9af08ad35d3d31995337d4643b26c015f75ca..f01e53cce1d9f17cb24b40ae99a3d8032c5e03dd 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -194,6 +194,7 @@ source "security/yama/Kconfig"
 source "security/safesetid/Kconfig"
 source "security/lockdown/Kconfig"
 source "security/landlock/Kconfig"
+source "security/container_escape_detection/Kconfig"
 
 source "security/integrity/Kconfig"
 
diff --git a/security/Makefile b/security/Makefile
index 18121f8f85cd7d0d99f758ee9eaf0cd389e2e078..9405ac9c85faba0f9edbde3a738b72e958efc07a 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -4,6 +4,7 @@
 #
 
 obj-$(CONFIG_KEYS)			+= keys/
+subdir-$(CONFIG_SECURITY_CONTAINER_ESCAPE_DETECTION) += container_escape_detection
 
 # always enable default capabilities
 obj-y					+= commoncap.o
@@ -24,6 +25,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM)	+= lockdown/
 obj-$(CONFIG_CGROUPS)			+= device_cgroup.o
 obj-$(CONFIG_BPF_LSM)			+= bpf/
 obj-$(CONFIG_SECURITY_LANDLOCK)		+= landlock/
+obj-$(CONFIG_SECURITY_CONTAINER_ESCAPE_DETECTION) += container_escape_detection/
 
 # Object integrity file lists
 obj-$(CONFIG_INTEGRITY)			+= integrity/
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 53cfeefb2f19425c428f6e997a61af60d94efe3f..ff4b48f37a91696afdcf5610408252a6a7f99f4a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -92,6 +92,7 @@
 #include <linux/fsnotify.h>
 #include <linux/fanotify.h>
 #include <linux/io_uring.h>
+#include <linux/hck/lite_hck_ced.h>
 
 #include "avc.h"
 #include "objsec.h"
@@ -6489,6 +6490,7 @@ static int selinux_setprocattr(const char *name, void *value, size_t size)
 	}
 
 	commit_creds(new);
+	CALL_HCK_LITE_HOOK(ced_setattr_insert_lhck, current);
 	return size;
 
 abort_change:
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index a3c380775d410c513e256450a08a6c22ccc3749a..0f99d583441065cae9fb36453e7566084e956e82 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -256,6 +256,12 @@ const struct security_class_mapping secclass_map[] = {
 	  { "override_creds", "sqpoll", "cmd", NULL } },
 	{ "user_namespace",
 	  { "create", NULL } },
+	{ "hideaddr",
+	  { "hide_exec_anon_mem", "hide_exec_anon_mem_debug", NULL } },
+	{ "jit_memory",
+	  { "exec_mem_ctrl", NULL} },
+	{ "ced",
+	  { "container_escape_check", NULL} },
 	{ NULL }
   };