Follow symlinks in MkdirAllAt

See #11910 for details — this potentially fixes a divergence between gVisor and
runc behavior where having the `cwd` of the OCI container spec set to a symlink
to a folder causes gVisor to exit with this error:

```
running container: starting container: starting root container: starting sandbox: failed to create process working directory "/cwd-folder-name-here": not a directory
```

FUTURE_COPYBARA_INTEGRATE_REVIEW=#11911 from ekzhang:patch-1 57017a5
PiperOrigin-RevId: 781612832

Author: ekzhang

pkg/sentry/vfs/vfs.go

@@ -874,9 +874,10 @@ func (vfs *VirtualFilesystem) getFilesystems() map[*Filesystem]struct{} {
 // (including the last component).
 func (vfs *VirtualFilesystem) MkdirAllAt(ctx context.Context, currentPath string, root VirtualDentry, creds *auth.Credentials, mkdirOpts *MkdirOptions, mustBeDir bool) error {
 	pop := &PathOperation{
-		Root:  root,
-		Start: root,
-		Path:  fspath.Parse(currentPath),
+		Root:               root,
+		Start:              root,
+		Path:               fspath.Parse(currentPath),
+		FollowFinalSymlink: true,
 	}
 	stat, err := vfs.StatAt(ctx, creds, pop, &StatOptions{Mask: linux.STATX_TYPE})
 	switch {