helium/core/components: restrict installation to an allowed set

just CRLSet for now. more to come in the future as we progressively vet them

patches/helium/core/component-updates.patch

@@ -127,3 +127,35 @@
  }
  
  std::string ChromeConfigurator::GetProdId() const {
+--- a/components/component_updater/component_installer.cc
++++ b/components/component_updater/component_installer.cc
+@@ -12,6 +12,7 @@
+ #include <utility>
+ #include <vector>
+ 
++#include "base/containers/fixed_flat_set.h"
+ #include "base/files/file_enumerator.h"
+ #include "base/files/file_path.h"
+ #include "base/files/file_util.h"
+@@ -111,7 +112,21 @@ void ComponentInstaller::Register(Compon
+ 
+   std::vector<uint8_t> public_key_hash;
+   installer_policy_->GetHash(&public_key_hash);
++
++  static constexpr auto kAllowedComponents =
++    base::MakeFixedFlatSet<std::string_view>(
++      base::sorted_unique,
++        {
++          "hfnkpimlhhgieaddgfemjhofmfblmnib", // CRLSet
++        }
++    );
++
+   const auto crx_id = update_client::GetCrxIdFromPublicKeyHash(public_key_hash);
++
++  if (!kAllowedComponents.contains(crx_id)) {
++    return;
++  }
++
+   Register(base::BindOnce(&ComponentUpdateService::RegisterComponent,
+                           base::Unretained(cus)),
+            std::move(callback), cus->GetRegisteredVersion(crx_id),