Where are some useful sandbox docs?

I have a wrapper for 'sudo' which calls this policy:

(version 1)
;; (debug deny)
(allow default)
(deny file-write*)
(allow file-write*
(regex
"^(/private)?/dev/"
"^(/private)?/tmp/"
"^(/private)?/var/tmp/"
"^/opt/remote"
))
(deny file-read* file-read-data
(regex
"^/Users"
"^/Volumes"
"^/Developer"
))

However, sudo doesn't work. Commenting out 'debug deny' got me this hint:

sandbox-exec(37760) deny forbidden-exec-sugid

For giggles, I tried:

(allow forbidden-exec-sugid)

That earned me:

sandbox-exec: line 4: unbound variable: forbidden-exec-sugid


I've been Googling for docs that explain all of the possible options but came up dry. The man pages sure don't help much.