diff --git a/contrib/cmd/memfd-bind/README.md b/contrib/cmd/memfd-bind/README.md
index 8123c897006..c4887fa7f0e 100644
--- a/contrib/cmd/memfd-bind/README.md
+++ b/contrib/cmd/memfd-bind/README.md
@@ -25,7 +25,7 @@ The provided `memfd-bind@.service` file can be used to get systemd to manage
 this daemon. You can supply the path like so:
 
 ```
-% systemctl start memfd-bind@/usr/bin/runc
+% systemctl start memfd-bind@$(systemd-escape -p /usr/bin/runc)
 ```
 
 Thus, there are three ways of protecting against CVE-2019-5736, in order of how
diff --git a/contrib/cmd/memfd-bind/memfd-bind@.service b/contrib/cmd/memfd-bind/memfd-bind@.service
index 591548ea4d9..89086902651 100644
--- a/contrib/cmd/memfd-bind/memfd-bind@.service
+++ b/contrib/cmd/memfd-bind/memfd-bind@.service
@@ -1,11 +1,11 @@
 [Unit]
-Description=Manage memfd-bind of %I
-Documentation=https://github.com/opencontainers/runc
+Description=Manage memfd-bind of %f
+Documentation=https://github.com/opencontainers/runc/blob/main/contrib/cmd/memfd-bind/README.md
 
 [Service]
 Type=simple
-ExecStart=memfd-bind "%I"
-ExecStop=memfd-bind --cleanup "%I"
+ExecStart=memfd-bind "%f"
+ExecStop=memfd-bind --cleanup "%f"
 
 [Install]
 WantedBy=multi-user.target