helium/core/components: restrict installation to an allowed set

just CRLSet for now. more to come in the future as we progressively vet them
2026-04-14 00:14:20 +09:00 · 2025-12-11 18:19:17 +06:00
parent e64526ce10
commit db5ddc92c1
1 changed files with 32 additions and 0 deletions
--- a/patches/helium/core/component-updates.patch
+++ b/patches/helium/core/component-updates.patch
@@ -127,3 +127,35 @@
 }
 
 std::string ChromeConfigurator::GetProdId() const {
+--- a/components/component_updater/component_installer.cc
+++ b/components/component_updater/component_installer.cc
+@@ -12,6 +12,7 @@
+ #include <utility>
+ #include <vector>
+ 
+#include "base/containers/fixed_flat_set.h"
+ #include "base/files/file_enumerator.h"
+ #include "base/files/file_path.h"
+ #include "base/files/file_util.h"
+@@ -111,7 +112,21 @@ void ComponentInstaller::Register(Compon
+ 
+   std::vector<uint8_t> public_key_hash;
+   installer_policy_->GetHash(&public_key_hash);
+
+  static constexpr auto kAllowedComponents =
+    base::MakeFixedFlatSet<std::string_view>(
+      base::sorted_unique,
+        {
+          "hfnkpimlhhgieaddgfemjhofmfblmnib", // CRLSet
+        }
+    );
+
+   const auto crx_id = update_client::GetCrxIdFromPublicKeyHash(public_key_hash);
+
+  if (!kAllowedComponents.contains(crx_id)) {
+    return;
+  }
+
+   Register(base::BindOnce(&ComponentUpdateService::RegisterComponent,
+                           base::Unretained(cus)),
+            std::move(callback), cus->GetRegisteredVersion(crx_id),