From db5ddc92c1a9dbebd746652df5dfd65ae49a22b4 Mon Sep 17 00:00:00 2001
From: wukko <me@wukko.me>
Date: Thu, 11 Dec 2025 18:19:17 +0600
Subject: [PATCH] helium/core/components: restrict installation to an allowed
 set

just CRLSet for now. more to come in the future as we progressively vet them
---
 patches/helium/core/component-updates.patch | 32 +++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/patches/helium/core/component-updates.patch b/patches/helium/core/component-updates.patch
index 8e53fe32..70e199de 100644
--- a/patches/helium/core/component-updates.patch
+++ b/patches/helium/core/component-updates.patch
@@ -127,3 +127,35 @@
  }
  
  std::string ChromeConfigurator::GetProdId() const {
+--- a/components/component_updater/component_installer.cc
++++ b/components/component_updater/component_installer.cc
+@@ -12,6 +12,7 @@
+ #include <utility>
+ #include <vector>
+ 
++#include "base/containers/fixed_flat_set.h"
+ #include "base/files/file_enumerator.h"
+ #include "base/files/file_path.h"
+ #include "base/files/file_util.h"
+@@ -111,7 +112,21 @@ void ComponentInstaller::Register(Compon
+ 
+   std::vector<uint8_t> public_key_hash;
+   installer_policy_->GetHash(&public_key_hash);
++
++  static constexpr auto kAllowedComponents =
++    base::MakeFixedFlatSet<std::string_view>(
++      base::sorted_unique,
++        {
++          "hfnkpimlhhgieaddgfemjhofmfblmnib", // CRLSet
++        }
++    );
++
+   const auto crx_id = update_client::GetCrxIdFromPublicKeyHash(public_key_hash);
++
++  if (!kAllowedComponents.contains(crx_id)) {
++    return;
++  }
++
+   Register(base::BindOnce(&ComponentUpdateService::RegisterComponent,
+                           base::Unretained(cus)),
+            std::move(callback), cus->GetRegisteredVersion(crx_id),