fix: mount to resolved symlink target path using readlink

Root cause: When mounting to /etc/resolv.conf (a symlink), mount follows the symlink
but our placeholder file might not be at the expected location in the mount namespace.

Solution: Use readlink -f to get the actual target path before mounting:

mount --bind /etc/netns/.../resolv.conf $(readlink -f /etc/resolv.conf || echo /etc/resolv.conf)

This ensures we mount to the correct location whether /etc/resolv.conf is a regular
file or a symlink.

Tested on ml-1 with external DNS (8.8.8.8) - all 23 tests pass, host resolv.conf
remains untouched.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: ammario

src/jail/linux/mod.rs

@@ -544,10 +544,13 @@ impl Jail for LinuxJail {
 
         // Build wrapper shell command that:
         // 1. Creates symlink target placeholder (if needed)
-        // 2. Bind-mounts our custom resolv.conf
+        // 2. Bind-mounts our custom resolv.conf to the RESOLVED path (following symlinks)
         // 3. Execs the user command
+        //
+        // CRITICAL: We mount to $(readlink -f /etc/resolv.conf) not /etc/resolv.conf directly,
+        // because mount follows symlinks and we need the actual target path.
         let shell_cmd = format!(
-            "mkdir -p /run/systemd/resolve && touch /run/systemd/resolve/stub-resolv.conf && mount --bind {} /etc/resolv.conf && exec {}",
+            "mkdir -p /run/systemd/resolve && touch /run/systemd/resolve/stub-resolv.conf && mount --bind {} $(readlink -f /etc/resolv.conf || echo /etc/resolv.conf) && exec {}",
             resolv_path,
             escaped_parts.join(" ")
         );