vfs: Follow symlinks in MkdirAllAt

See #11910 for details — this potentially fixes a divergence between gVisor and
runc behavior where having the `cwd` of the OCI container spec set to a symlink
to a folder causes gVisor to exit with this error:

```
running container: starting container: starting root container: starting sandbox: failed to create process working directory "/cwd-folder-name-here": not a directory
```

Fixes #11910

FUTURE_COPYBARA_INTEGRATE_REVIEW=#11911 from ekzhang:patch-1 3f7bca1
PiperOrigin-RevId: 783024019

Author: ekzhang

pkg/sentry/vfs/vfs.go

@@ -878,7 +878,16 @@ func (vfs *VirtualFilesystem) MkdirAllAt(ctx context.Context, currentPath string
 		Start: root,
 		Path:  fspath.Parse(currentPath),
 	}
+
+	// For the StatAt() operation, we follow final symlinks so that we don't
+	// produce errors when the final component is a symlink to a directory.
+	//
+	// However, keep the old pop unchanged when passing to MkdirAt() below
+	// because MkdirAt() must not follow the final symlink. This is enforced
+	// by preconditions of FilesystemImpl.MkdirAt().
+	pop.FollowFinalSymlink = true
 	stat, err := vfs.StatAt(ctx, creds, pop, &StatOptions{Mask: linux.STATX_TYPE})
+	pop.FollowFinalSymlink = false
 	switch {
 	case err == nil:
 		if mustBeDir && (stat.Mask&linux.STATX_TYPE == 0 || stat.Mode&linux.FileTypeMask != linux.ModeDirectory) {