Remounting /run with the "exec" option in /lib/systemd/system-shutdown/tails
does not work anymore with systemd v239, while it worked at least until systemd
v237. I could not find out why by reading systemd's NEWS file.

So let's instead do this there:

 - For clean shutdown: in a new, dedicated service, started immediately before
   final.target, which itself is a synchronization point that ensures this
   service is started before the transition to systemd-shutdown and in turn to
   the initramfs, where we finish the unmounting and other clean ups needed to
   erase the memory.

 - For emergency shutdown: in the udev watchdog script, before calling the
   unclean shutdown code, which bypasses final.target and thus won't run
   tails-remount-run-exec.service. Too bad we have to duplicate this mount
   command but it seems that both instances will become unnecessary quickly
   enough, once systemd DTRT™. Another way would be to manually start
   tails-remount-run-exec.service from the udev watchdog script but I'm
   concerned it will be unreliable when the boot medium has been unplugged.