pam_chroot can lock a user into a chroot upon login (it comes standard with gentoo pam, not sure about others)
pam_mount can make building a chroot easier as you can build a single file structure that you want the users to have access too and "mount -o bind,nosuid,nodev,ro...etc" it into the perfered chroot at login time. If you intend on chrooting a bunch of users, "mount -o bind" makes maintaining it much easier. pam_mount is also useful for encrypted home-dirs.
pam_mount can be found at http://www.flyn.org/#id5426299
Using both of those with grsecurity makes it very hard to break a system even with a local account.
Good rule of thumb... the more complex your security system, the harder it will be to maintain and keep secure. Keep all of your security consistant and clean. If it feels overwhelming and you start putting things off, you might be doing something wrong.
