Where are some useful sandbox docs?

I have a wrapper for 'sudo' which calls this policy:

(version 1)
;; (debug deny)
(allow default)
(deny file-write*)
(allow file-write*
(deny file-read* file-read-data

However, sudo doesn't work. Commenting out 'debug deny' got me this hint:

sandbox-exec(37760) deny forbidden-exec-sugid

For giggles, I tried:

(allow forbidden-exec-sugid)

That earned me:

sandbox-exec: line 4: unbound variable: forbidden-exec-sugid

I've been Googling for docs that explain all of the possible options but came up dry. The man pages sure don't help much.