--sanebox-keep-namespace pid
isolatePids = false
it only cost everything. also, blast doesnt reliably clean up its pseudo devices
blast-to-default