instead of user accounts, use BFS metadata to enforce mandatory access controls to
- files
- processes
- memory
- devices
- cpu priority
- virtualized instances / KVMs / jails